CVE-2026-45252

EUVD-2026-31254

21.05.2026, 10:16

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file.  The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings.  The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.

If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer.  A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
freebsd	freebsd	14.3
freebsd	freebsd	14.3:p1
freebsd	freebsd	14.3:p10
freebsd	freebsd	14.3:p11
freebsd	freebsd	14.3:p12
freebsd	freebsd	14.3:p13
freebsd	freebsd	14.3:p2
freebsd	freebsd	14.3:p3
freebsd	freebsd	14.3:p4
freebsd	freebsd	14.3:p5
freebsd	freebsd	14.3:p6
freebsd	freebsd	14.3:p7
freebsd	freebsd	14.3:p8
freebsd	freebsd	14.3:p9
freebsd	freebsd	14.4
freebsd	freebsd	14.4:p1
freebsd	freebsd	14.4:p2
freebsd	freebsd	14.4:p3
freebsd	freebsd	14.4:p4
freebsd	freebsd	14.4:rc1
freebsd	freebsd	15.0
freebsd	freebsd	15.0:p1
freebsd	freebsd	15.0:p2
freebsd	freebsd	15.0:p3
freebsd	freebsd	15.0:p4
freebsd	freebsd	15.0:p5
freebsd	freebsd	15.0:p6
freebsd	freebsd	15.0:p7
freebsd	freebsd	15.0:p8

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Vulnerability Media Exposure

[GERMAN] FreeBSD Project FreeBSD OS: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in FreeBSD Project FreeBSD OS ausnutzen, um seine Privilegien zu erhöhen, um Sicherheitsvorkehrungen zu umgehen, um beliebigen Programmcode mit Administratorrechten auszuführen, und um Informationen offenzulegen.
Published: 2026-05-20T22:00:00+00:00

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc