SecurityHome.eu FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs

Home / mailings PDF

FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs
Posted on 21 May 2026
FreeBSD security notificat
=============================================================================FreeBSD-SA-26:20.fusefs Security Advisory
The FreeBSD Project

Topic: Heap overflow in FUSE_LISTXATTR

Category: core
Module: fusefs
Announced: 2026-05-20
Credits: Joshua Rogers of AISLE Research Team
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE)
2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9)
2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE)
2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5)
2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14)
CVE Name: CVE-2026-45252

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

The fusefs file system delegates file system operations to a userspace
daemon. This daemon ordinarily requires root privileges to operate. When
the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users
are permitted to run such daemons and mount fusefs file systems.

II. Problem Description

When a fusefs file system implements extended attributes, the kernel may send
a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended
attributes for a given file. The FUSE protocol requires the daemon to return
a packed list of NUL-terminated strings. The fusefs kernel module calls
strlen() on this daemon-supplied buffer without first verifying that the
entire list is NUL-terminated.

III. Impact

If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel
module may read beyond the end of one heap-allocated buffer and potentially
write beyond the end of a second buffer. A malicious daemon could disclose
up to 253 bytes of kernel heap memory, or it could inject up to 250
attacker-controlled bytes into unallocated kernel heap space.

IV. Workaround

No workaround is available, but systems that do not load the fusefs kernel
module or set vfs.usermount=1 are unaffected.

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc
# gpg --verify fusefs-15.patch.asc

[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc
# gpg --verify fusefs-14.4.patch.asc

[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc
# gpg --verify fusefs-14.3.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ df3f3fa82775 stable/15-n283642
releng/15.0/ 0dd8b983db3c releng/15.0-n281042
stable/14/ 25148c51c8c6 stable/14-n274165
releng/14.4/ 6a299460f159 releng/14.4-n273705
releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-45252>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:20.fusefs.asc>

TOP

Mailings :

Last 20

Exploits :

Last 20