{"id":"CVE-2026-31694","summary":"fuse: reject oversized dirents in page cache","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: reject oversized dirents in page cache\n\nfuse_add_dirent_to_cache() computes a serialized dirent size from the\nserver-controlled namelen field and copies the dirent into a single\npage-cache page. The existing logic only checks whether the dirent fits\nin the remaining space of the current page and advances to a fresh page\nif not. It never checks whether the dirent itself exceeds PAGE_SIZE.\n\nAs a result, a malicious FUSE server can return a dirent with\nnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB\npage systems this causes memcpy() to overflow the cache page by 24 bytes\ninto the following kernel page.\n\nReject dirents that cannot fit in a single page before copying them into\nthe readdir cache.","modified":"2026-07-09T18:29:42.418349713Z","published":"2026-05-01T13:53:36.048Z","related":["CGA-m73x-j6m9-v38q","SUSE-SU-2026:2111-1","SUSE-SU-2026:21834-1","SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2195-1","SUSE-SU-2026:2202-1","SUSE-SU-2026:2215-1","SUSE-SU-2026:2216-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:22276-1","SUSE-SU-2026:22277-1","SUSE-SU-2026:22278-1","SUSE-SU-2026:22279-1","SUSE-SU-2026:22280-1","SUSE-SU-2026:22281-1","SUSE-SU-2026:22282-1","SUSE-SU-2026:22283-1","SUSE-SU-2026:22288-1","SUSE-SU-2026:2238-1","SUSE-SU-2026:22383-1","SUSE-SU-2026:22384-1","SUSE-SU-2026:22385-1","SUSE-SU-2026:22386-1","SUSE-SU-2026:22387-1","SUSE-SU-2026:22388-1","SUSE-SU-2026:22389-1","SUSE-SU-2026:22390-1","SUSE-SU-2026:22391-1","SUSE-SU-2026:22396-1","SUSE-SU-2026:22397-1","SUSE-SU-2026:22398-1","SUSE-SU-2026:22399-1","SUSE-SU-2026:22400-1","SUSE-SU-2026:22401-1","SUSE-SU-2026:22402-1","SUSE-SU-2026:22403-1","SUSE-SU-2026:22404-1","SUSE-SU-2026:22405-1","SUSE-SU-2026:22406-1","SUSE-SU-2026:22407-1","SUSE-SU-2026:22408-1","SUSE-SU-2026:22409-1","SUSE-SU-2026:22410-1","SUSE-SU-2026:22411-1","SUSE-SU-2026:22412-1","SUSE-SU-2026:22413-1","SUSE-SU-2026:22414-1","SUSE-SU-2026:22415-1","SUSE-SU-2026:22416-1","SUSE-SU-2026:22417-1","SUSE-SU-2026:22418-1","SUSE-SU-2026:22419-1","SUSE-SU-2026:22420-1","SUSE-SU-2026:22421-1","SUSE-SU-2026:22425-1","SUSE-SU-2026:22426-1","SUSE-SU-2026:22427-1","SUSE-SU-2026:22428-1","SUSE-SU-2026:22461-1","SUSE-SU-2026:22462-1","SUSE-SU-2026:22463-1","SUSE-SU-2026:22464-1","SUSE-SU-2026:22465-1","SUSE-SU-2026:22466-1","SUSE-SU-2026:22467-1","SUSE-SU-2026:22468-1","SUSE-SU-2026:22469-1","SUSE-SU-2026:22470-1","SUSE-SU-2026:22471-1","SUSE-SU-2026:22472-1","SUSE-SU-2026:22473-1","SUSE-SU-2026:22474-1","SUSE-SU-2026:22475-1","SUSE-SU-2026:22476-1","SUSE-SU-2026:22478-1","SUSE-SU-2026:22479-1","SUSE-SU-2026:22480-1","SUSE-SU-2026:22481-1","SUSE-SU-2026:22482-1","SUSE-SU-2026:22483-1","SUSE-SU-2026:22484-1","SUSE-SU-2026:22485-1","SUSE-SU-2026:22486-1","SUSE-SU-2026:22487-1","SUSE-SU-2026:22488-1","SUSE-SU-2026:22489-1","SUSE-SU-2026:22490-1","SUSE-SU-2026:22491-1","SUSE-SU-2026:22507-1","SUSE-SU-2026:22508-1","SUSE-SU-2026:22509-1","SUSE-SU-2026:2496-1","SUSE-SU-2026:2500-1","SUSE-SU-2026:2503-1","SUSE-SU-2026:2511-1","SUSE-SU-2026:2520-1","SUSE-SU-2026:2532-1","SUSE-SU-2026:2559-1","SUSE-SU-2026:2567-1","SUSE-SU-2026:2571-1","SUSE-SU-2026:2588-1","SUSE-SU-2026:2594-1","SUSE-SU-2026:2601-1","SUSE-SU-2026:2607-1","SUSE-SU-2026:2608-1","SUSE-SU-2026:2610-1","openSUSE-SU-2026:10793-1","openSUSE-SU-2026:20826-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31694.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31694.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31694"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"27992ef80770d61a57f6c3a551735b08cefdffa3"},{"fixed":"7de93abfaae1b2dc94da8a07a36421bd073f1d8f"},{"fixed":"474ce83c96a55f2eeb14dee2be375eeadfdacdf5"},{"fixed":"51a8de6c50bf947c8f534cd73da4c8f0a13e7bed"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31694.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.15.0"},{"fixed":"6.18.25"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31694.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}