CVE-2026-45252

5.5 MEDIUM

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retriev...

Published: 2026-05-21 · Last updated: 2026-05-21

Severity and scoring

CVSS: 5.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
CWE: CWE-122

Affected products

Vendor	Product
freebsd	freebsd

Description

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45252
[Vendor advisory]https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc

Related CVEs

Same vendor

CVE-2026-45255 — When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) t... (7.5 HIGH)
CVE-2026-45254 — In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "a... (6.5 MEDIUM)
CVE-2026-45253 — ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls (8.4 HIGH)
CVE-2026-45251 — A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor (7.8 HIGH)
CVE-2026-39461 — libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become av... (8.8 HIGH)

Same CWE

CVE-2026-47747 — stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inf... (7.8 HIGH)
CVE-2026-47964 — DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code ex... (7.8 HIGH)
CVE-2026-47749 — stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inf... (7.8 HIGH)
CVE-2026-8484 — A heap buffer overflow vulnerability exists in the Jansi JNI "ioctl()" wrapper due to a lack of size verification for the argument array ...
CVE-2026-52720 — A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client) (8.8 HIGH)