CVE-2026-45252 – Heap overflow in FUSE_LISTXATTR

CVE ID :CVE-2026-45252

Published : May 21, 2026, 10:16 a.m. | 42 minutes ago

Description :When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.

If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-45255 – Remote code execution via installer Wi-Fi access point scans

CVE-2026-45254 – Incorrect libcap_net limitation list manipulation

CVE-2026-45253 – Missing validation in ptrace(PT_SC_REMOTE)

CVE-2026-45251 – Kernel use-after-free via file descriptor syscalls