Linux Kernel FUSE Flaw (CVE-2026-31694) Hands Local Attackers Root

A newly disclosed Linux kernel vulnerability in the FUSE (Filesystem in Userspace) subsystem lets a local, unprivileged attacker escalate to root. Tracked as CVE-2026-31694, the flaw lives in the code that caches FUSE directory listings — and a working proof of concept already demonstrates a clean path to a root shell.

How It Works

FUSE lets a userspace program act as a filesystem by talking to the kernel through /dev/fuse, and the kernel caches directory entries to speed up future reads. The bug sits in fuse_add_dirent_to_cache(), where the kernel calculates a directory entry’s size from a server-controlled filename length and then copies that entry into a single cache page — without first checking whether the entry is larger than one page.

That missing check is the whole problem. A malicious FUSE server can return a directory entry serialized to 4120 bytes on a system using 4 KiB pages, which is 24 bytes too big for a single page. The kernel resets the offset to zero and copies it anyway, so the extra bytes spill into the adjacent memory page.

Why It’s Dangerous

The real threat isn’t the overflow itself — it’s where the corrupted bytes land. In the validated exploit, the overflow corrupts cached bytes of a SUID binary such as su, overwriting the beginning of its executable code with a short payload that calls setuid(0) and setgid(0) before continuing normally. Once those identity-changing syscalls run inside a root-owned program, the attacker bypasses the usual authentication checks and spawns a root shell.

Who Is Affected

The attack is local, so an attacker needs the ability to mount or run a FUSE filesystem. That capability is often available through unprivileged user namespaces or fusermount3. Per the Bynario research, the flaw is exploitable on newer kernels with large readdir buffers and affects only systems using 4 KiB memory pages — configurations with larger page sizes aren’t hit by this specific overflow.

The Fix and Mitigations

The kernel fix is straightforward: reject any directory entry that doesn’t fit in a single page before caching it. Patch to the corrected kernel version as soon as your distribution ships it.

If you can’t patch immediately, reduce your exposure by limiting FUSE usage, removing the setuid bit from fusermount3 when it isn’t needed, and restricting unprivileged user namespaces. Those two settings matter most, since they’re the primary avenues that let an ordinary user mount the malicious FUSE filesystem in the first place.

Bottom Line

CVE-2026-31694 is a textbook local privilege escalation: a missing bounds check turns an attacker-controlled filename into targeted memory corruption of a SUID binary, and from there into root. Patch the kernel, and in the meantime lock down unprivileged namespaces and fusermount3 to cut off the attack surface.

Related Reading

Avatar photo
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 679

Leave a Reply

Your email address will not be published. Required fields are marked *