SB20260502131 - Improper locking in Linux kernel fuse



SB20260502131 - Improper locking in Linux kernel fuse

Published: May 2, 2026

Security Bulletin ID SB20260502131
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper locking (CVE-ID: CVE-2026-31713)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of a fatal signal in fuse sync initialization in the FUSE filesystem mount handling when initializing a FUSE filesystem with sync init while the server exits during FUSE_INIT processing. A local user can trigger a mount operation under these conditions to cause a denial of service.

The issue causes the filesystem creation to hang because the mounting thread keeps the device file descriptor open, preventing an abort from occurring.


Remediation

Install update from vendor's website.