newly disclosed Linux kernel vulnerability, tracked as CVE-2026-31694, allows unprivileged local users to gain root privileges on affected systems. The flaw exists in the Linux FUSE (Filesystem in Userspace) subsystem and affects the way directory entries are stored in the kernel page cache.
Researchers demonstrated that the vulnerability can be exploited to modify a SUID binary, such as /usr/bin/su, allowing attackers to execute code with root privileges. The issue affects Linux kernel v6.16-rc1 and later on systems using a 4 KB page size.
How the Vulnerability Works
The flaw is caused by improper validation of directory entry sizes before they are copied into the kernel page cache. When an oversized directory entry is processed, it can trigger a small memory overflow beyond the page boundary.
Researchers showed that this overflow can corrupt cached executable files, including SUID binaries such as /usr/bin/su. When the modified binary is executed, the injected code runs with root privileges before the normal authentication process begins, allowing attackers to gain full control of the system.
To successfully exploit the vulnerability, an attacker must:
- Have local access to the system.
- Be able to mount a FUSE filesystem.
- Create a specially crafted directory entry.
- Trigger the vulnerable code path through FUSE operations.
Affected Systems and Mitigation
The vulnerability becomes practically exploitable on Linux kernel v6.16-rc1 and later, after changes that increased the FUSE directory read buffer size. Systems using a 4 KB page size are affected, while systems with larger page sizes are not vulnerable to this specific overflow.
The Linux kernel developers have released a patch that prevents oversized directory entries from being cached, eliminating the overflow condition.
Organizations should take the following steps to reduce risk:
- Update affected Linux systems with the latest kernel patches.
- Restrict or disable unprivileged FUSE mounts where possible.
- Disable unprivileged user namespaces if they are not required.
- Remove the setuid permission from fusermount3 when it is not needed.
- Monitor systems for unauthorized local privilege escalation attempts.
- Review systems for unusual activity involving FUSE filesystems and SUID binaries.
Although this vulnerability requires local access, it highlights how a small flaw in a kernel subsystem can lead to complete system compromise. Prompt patching, restricting unnecessary FUSE access, and limiting local privileges are the most effective ways to reduce the risk of exploitation.