HIGH
fuse Request UAF
CVE-2025-68805
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue's list for terminated non-committed requests.
02KernelScan AI Analysis
Risk summary
Local users can trigger use-after-free in FUSE io-uring request handling, potentially leading to kernel memory corruption and privilege escalation. Systems allowing unprivileged FUSE mounts with io-uring support, including container hosts and multi-tenant systems, are at risk.
Vulnerability analysis
The vulnerability occurs when FUSE requests are terminated before being committed in the io-uring path. The original code failed to remove these requests from the queue's list, leaving dangling pointers that cause list corruption and use-after-free conditions when the list is later traversed. The fix adds proper list removal (list_del_init) during request cleanup to prevent dangling entries. This affects systems with FUSE and io-uring support where users can mount FUSE filesystems or access the FUSE device.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.3 | a6d1f1ace16d |
| mainline | 6.19 | 95c39eef7c2b |