- CVE: CVE-2026-31694
- CVSS: 7.8 (High · CVSSv3)
- Product: Linux
- Affected: 27992ef80770d61a57f6c3a551735b08cefdffa3, 6.15
- Impact: fuse: reject oversized dirents in page cache
- Status: No confirmed exploitation yet
- Patched in: 7de93abfaae1b2dc94da8a07a36421bd073f1d8f, 474ce83c96a55f2eeb14dee2be375eeadfdacdf5, 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed, 6.18.25 (+2 more)
- EPSS: 0.1% (30-day)
- Action: Update to 7de93abfaae1b2dc94da8a07a36421bd073f1d8f, 474ce83c96a55f2eeb14dee2be375eeadfdacdf5, 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed, 6.18.25 (+2 more) now
TL;DR
Researchers have published full details and working exploit code for CVE-2026-31694. This Linux kernel FUSE bug lets a local user overflow the page cache and seize root. It reaches recent kernels on machines that use 4 KiB memory pages.
Why it matters
Local privilege escalation flaws turn a low-level account into full root. This one needs no special rights at the start. An attacker only needs to mount a FUSE filesystem. Many desktops and containers allow that through fusermount3 or user namespaces. As a result, the bug widens the local attack surface. Containers and shared servers face the widest exposure. Attackers prize such bugs, since they need no network foothold. SUSE rates the issue as important severity. So far, no in-the-wild attacks have been confirmed. Still, a public exploit raises the stakes for defenders.
How the attack works
FUSE lets ordinary users run filesystems from userspace. The kernel acts as a client and asks a user program for directory data. When caching is on, it stores those entries in the page cache. Each entry must fit inside one fixed 4 KiB page. However, the code never checked that rule before copying. Record size comes straight from the server-controlled name length. The kernel simply trusts that math without a second check. So a malicious FUSE server can send a 4,095-byte name. That entry serializes into a 4,120-byte record. Copying it overflows the page by 24 attacker-controlled bytes. Those stray bytes spill into the next kernel page in memory. From there, the write can corrupt a nearby cached file.
Public disclosure and exploitation status
Bynar’s team disclosed the full mechanism in a detailed research write-up. It also released exploit code on GitHub for anyone to study. Its validator corrupts a cached privileged binary to reach a root shell. That path gives a clean local privilege escalation to root. An independent researcher shipped a separate local-root exploit as well. Both efforts show the Linux kernel FUSE flaw is practical, not theoretical. Even so, CISA has not listed it as known exploited. Public exploit ratings also stay low for now.
Affected versions
The bug lives in fs/fuse/readdir.c, inside the readdir cache path. Its flawed code dates back to a 2018 caching feature. Yet it only became reachable after a 2025 buffer change. So practical risk starts near Linux 6.16-rc1, per Bynar. Independent trackers list affected builds into the 7.1 release candidates. The test popped a root shell on an Ubuntu 26.04 image. Machines with pages larger than 4 KiB stay safe.
Patch and mitigation
Maintainers fixed the flaw upstream with a small bounds check. The patch rejects any entry that cannot fit in one page. It has reached mainline and several stable trees already. Admins should install the distro kernel update first. Container hosts deserve priority, given the broad local surface. Until then, limit FUSE where nobody needs it. You can strip the setuid bit from fusermount3 on unused systems. Also restrict unprivileged user namespaces to shrink the attack surface.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.