CVEFinder.io

CVE-2026-45252

🔶 medium
🔍 Scan for this CVE
Summary

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may

Description

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.

If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.

CVSS Score
5.5
Medium
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-21
First Seen: 2026-05-22
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 32.6% of all 325,680 vulnerabilities in our database.

#219,606
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 21, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Joshua Rogers of AISLE Research Team
SSVC data provided by CISA
Last Modified 2026-05-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
CWE IDs (Weakness Types)
CWE-122

📦 Affected Products 3

Vendor Product Status Affected Versions
freebsd freebsd Affected
v14.3
freebsd freebsd Affected
v14.4
freebsd freebsd Affected
v15.0

🔗 References 1

https://security.freebsd.org/advisories/FreeBSD-SA-2...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-45250 ⚠️ high 7.8 0.0 The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is ... 2026-05-21
CVE-2026-39461 ⚠️ high 8.8 0.0 libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for ... 2026-05-21
CVE-2026-45251 ⚠️ high 7.8 0.0 A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. B... 2026-05-21
CVE-2026-45253 ⚠️ high 8.4 0.0 ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a... 2026-05-21
CVE-2026-45254 🔶 medium 6.5 0.0 In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key ... 2026-05-21
CVE-2026-45255 ⚠️ high 7.5 0.0 When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and u... 2026-05-21
These CVEs affect the same products