CVE-2018-10906

MEDIUM

Debian Linux < 2.9.8 - Improper Authorization

Title source: rule

Description

In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · cdoslinux
https://www.exploit-db.com/exploits/45106

References (8)

Scores

CVSS v3 5.3
EPSS 0.0005
EPSS Percentile 16.8%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-269 CWE-285
Status published
Products (6)
debian/debian_linux 8.0
debian/debian_linux 9.0
fuse_project/fuse < 2.9.8
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_workstation 7.0
Published Jul 24, 2018
Tracked Since Feb 18, 2026