CVE-2026-53167
MEDIUMfuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already in the page cache and not wait for data from the FUSE daemon, treat !uptodate folios as if they weren't present. This only has security impact on systems that don't enable automatic zero-initialization of all page allocations via CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.
References (8)
Core 8
Core References
Scores
CVSS v3
5.5
EPSS
0.0012
EPSS Percentile
2.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-908
Status
published
Products (27)
linux/Kernel
2.6.36 - 5.10.260linux
linux/Kernel
5.11.0 - 5.15.211linux
linux/Kernel
5.16.0 - 6.1.177linux
linux/Kernel
6.13.0 - 6.18.36linux
linux/Kernel
6.19.0 - 7.0.13linux
linux/Kernel
6.2.0 - 6.6.144linux
linux/Kernel
6.7.0 - 6.12.95linux
Linux/Linux
< 2.6.36
Linux/Linux
2.6.36
Linux/Linux
2d45ba381a74a743eeaa2b06c7c5c0d2bf73ba1a - 1fb8735a3a4d894f8c1f90b741a3ab1d3817f9bd
... and 17 more
Published
Jun 25, 2026
Tracked Since
Jun 25, 2026