-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:20.fusefs Security Advisory
The FreeBSD Project
Topic: Heap overflow in FUSE_LISTXATTR
Category: core
Module: fusefs
Announced: 2026-05-20
Credits: Joshua Rogers of AISLE Research Team
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE)
2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9)
2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE)
2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5)
2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14)
CVE Name: CVE-2026-45252
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The fusefs file system delegates file system operations to a userspace
daemon. This daemon ordinarily requires root privileges to operate. When
the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users
are permitted to run such daemons and mount fusefs file systems.
II. Problem Description
When a fusefs file system implements extended attributes, the kernel may send
a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended
attributes for a given file. The FUSE protocol requires the daemon to return
a packed list of NUL-terminated strings. The fusefs kernel module calls
strlen() on this daemon-supplied buffer without first verifying that the
entire list is NUL-terminated.
III. Impact
If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel
module may read beyond the end of one heap-allocated buffer and potentially
write beyond the end of a second buffer. A malicious daemon could disclose
up to 253 bytes of kernel heap memory, or it could inject up to 250
attacker-controlled bytes into unallocated kernel heap space.
IV. Workaround
No workaround is available, but systems that do not load the fusefs kernel
module or set vfs.usermount=1 are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc
# gpg --verify fusefs-15.patch.asc
[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc
# gpg --verify fusefs-14.4.patch.asc
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc
# gpg --verify fusefs-14.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ df3f3fa82775 stable/15-n283642
releng/15.0/ 0dd8b983db3c releng/15.0-n281042
stable/14/ 25148c51c8c6 stable/14-n274165
releng/14.4/ 6a299460f159 releng/14.4-n273705
releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHIbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvobkP/R3O3bwsnJkhG1NQ6pKh
UFcwpZ8TSAqtccHZRQz2zoKTqu/EeClT7Bdgw/Qa8gbZ7IfZgS8AJaR7e4fgpE96
AhHU6cbyZrpwvWUatIKgX57032+M1ioMiz9g0KbGg4W4WKe/QHj4yt45F7qRfLNb
BD7Qp7E0XtV+UrNXkhOQQmHyVTpB85tK/e5Yc+vcSgAQ3LWrzwO4zED4f78e3faw
oiLm1oE/Vx0jfrRKsnCECdJS532xlfH6iJ2/2ZXfUthGQmZQe34wOMwYS0EcaGZV
TQoLwsg5qLj4hJOGMCZk4X4TjrkoQquWdsAQetB8tqXIyw7QEgbMIIbhS3mQZ5CW
aEq3wbYMowxCMb/6Dd/R56wDqyGI2Z6GHmUT58M0OSIIISfsD+UHOCW2lrQQ5zrI
o1O/IFAvqsmCN6JQzFgC3KC8BLLZWzxf5Bun6yOls/YA31zOXAen0isnbOvVnGot
42Dy65fENCUQMt+p3eDDLQzxDhlqGAGbiqysBmxwTA5Wqc4furv7O0wmBPwOOGeH
NqlKYsqO9u4kEW2lTCPs7R5+wsc+EACc07kikDQgp1m59JlkMfmXU4Kbcgw9r4GR
9OWtidfTCDGmt9mXzJVKaBurgJ1iqsBfzzLamWo0iDpUMgUP7VA9jVjVbUmtjH1V
qAWdXCXwrbOr+eA50IIPxkal
=HzW3
-----END PGP SIGNATURE-----