GBHackers

Linux FUSE Vulnerability Allows Unprivileged Users to Pop a Root Shell


A newly disclosed Linux kernel vulnerability in the FUSE subsystem allows unprivileged local users to escalate privileges to root by corrupting the page cache and hijacking execution of a SUID binary such as /usr/bin/su on Ubuntu 26.04.

Tracked as CVE-2026-31694, the flaw affects the FUSE directory-caching logic. It can be exploited to achieve reliable local privilege escalation (LPE) on kernels starting from v6.16-rc1 when combined with unprivileged FUSE mounts.

Linux FUSE Vulnerability

The issue lies in fuse_add_dirent_to_cache() in fs/fuse/readdir.c. This function copies FUSE directory entries into the kernel page cache when the FOPEN_CACHE_DIR flag is enabled.

FUSE directory entries are represented as struct fuse_dirent, where the total record size (reclen) is derived from the attacker-controlled namelen field via the FUSE_DIRENT_SIZE() macro.

While namelen is capped at 4095 bytes, this still allows a maximum serialized record size of 4120 bytes, which exceeds the standard 4 KiB page size on x86_64 systems.

The vulnerable logic only checks whether the dirent fits in the remaining space of the current page and, if not, jumps to a fresh page and copies reclen bytes into it without verifying whether the dirent itself exceeds PAGE_SIZE, resulting in a 24-byte heap overflow past the end of the page cache page.

The Bynario team validated exploitability by chaining this controlled 24-byte overflow into code execution in a cached SUID binary.

Because executable files are also backed by the page cache, corrupting the cached contents of a SUID binary allows an attacker to modify the instructions that will be executed with root privileges on the next invocation.

On Ubuntu 26.04 with a vulnerable 7.0 kernel, the exploit targets the .init section of /usr/bin/su, which runs before main() and before normal authentication flow.

By carefully shaping memory allocations with a pool of “sacrificial” files and repeated cache fault/evict cycles, the exploit arranges for the oversized FUSE directory entry page to be allocated immediately before the .init page of su, so the 24-byte overflow replaces the first instructions in that page.

The injected payload is minimal x86_64 shellcode that calls setuid(0) and setgid(0) and then returns, allowing su to continue as normal but now executing with root credentials without prompting for a password. When the corrupted /usr/bin/su is executed, the process prints uid=0 (root). It drops the attacker into a root shell, confirming a successful LPE.

Affected Versions and Exploitation Requirements

The vulnerable directory caching logic was introduced in 2018 with commit 69e34551152a (“fuse: allow caching readdir”), but was not practically reachable until a later change increased the FUSE readdir buffer size.

Before commit dabb90391028 (“fuse: increase readdir buffer size”), the kernel allocated only a PAGE_SIZE buffer for FUSE readdir replies, preventing delivery of a 4120-byte malicious dirent; thus, practical exploitation begins with Linux v6.16-rc1 and later.

Only systems with 4 KiB page size are affected, as larger page sizes can accommodate the 4120-byte record without overflow.

An attacker must be able to mount a FUSE filesystem, either through unprivileged user namespaces or via fusermount3, then return an oversized directory entry from the FUSE server and trigger the vulnerable path by calling getdents64() on the crafted directory.

Upstream developers accepted a patch that adds a simple but effective guard: if the serialized dirent size reclen exceeds PAGE_SIZE, the kernel skips caching the entry instead of copying it into the page cache.

This change, merged as commit 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed, fully prevents overflow by ensuring that no single cached dirent can spill over a page boundary.

Admins are urged to deploy kernel updates incorporating this fix on affected systems and to harden FUSE exposure where possible.

Recommended mitigations include stripping the setuid bit from fusermount3 when not needed and restricting or turning off unprivileged user namespaces to reduce the attack surface for untrusted users.

Environments where unprivileged users cannot mount FUSE filesystems or trigger large readdir operations are significantly less exposed.

From a threat-reporting perspective, this bug underscores how relatively small, deterministic overflows in kernel subsystems such as FUSE can still yield reliable root exploits when combined with precise page-cache manipulation and targeted corruption of SUID binaries.

Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN



Source link