2464503 – (CVE-2026-31694) CVE-2026-31694 kernel: fuse: reject oversized dirents in page cache

Bug 2464503 (CVE-2026-31694) - CVE-2026-31694 kernel: fuse: reject oversized dirents in page cache

Summary: CVE-2026-31694 kernel: fuse: reject oversized dirents in page cache

Keywords:
Status:	NEW
Alias:	CVE-2026-31694
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-01 15:10 UTC by OSIDB Bzimport
Modified:	2026-05-01 19:23 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:10:24 UTC

In the Linux kernel, the following vulnerability has been resolved:

fuse: reject oversized dirents in page cache

fuse_add_dirent_to_cache() computes a serialized dirent size from the
server-controlled namelen field and copies the dirent into a single
page-cache page. The existing logic only checks whether the dirent fits
in the remaining space of the current page and advances to a fresh page
if not. It never checks whether the dirent itself exceeds PAGE_SIZE.

As a result, a malicious FUSE server can return a dirent with
namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB
page systems this causes memcpy() to overflow the cache page by 24 bytes
into the following kernel page.

Reject dirents that cannot fit in a single page before copying them into
the readdir cache.

Comment 1 Keith Grant 2026-05-01 19:21:04 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050139-CVE-2026-31694-f974@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.