SB20260502131 - Improper locking in Linux kernel fuse
Published: May 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper locking (CVE-ID: CVE-2026-31713)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a fatal signal in fuse sync initialization in the FUSE filesystem mount handling when initializing a FUSE filesystem with sync init while the server exits during FUSE_INIT processing. A local user can trigger a mount operation under these conditions to cause a denial of service.
The issue causes the filesystem creation to hang because the mounting thread keeps the device file descriptor open, preventing an abort from occurring.
Remediation
Install update from vendor's website.