{
  "variant_id": "CVE-2026-31694-readdirplus-alternate",
  "created_at": "2026-07-03T18:15:00Z",
  "variant_summary": "A malicious FUSE daemon can trigger the same oversized-dirent readdir-cache overflow through FUSE_READDIRPLUS by returning a direntplus record whose embedded dirent has namelen=4095. The alternate path reproduces on the vulnerable module but is blocked by the tested sink-level reclen > PAGE_SIZE fix, so it is not a fixed-version bypass.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
  "submitted_target": {
    "target_kind": "linux_kernel_source",
    "version": "v6.18.18 vulnerable module without fuse_add_dirent_to_cache reclen > PAGE_SIZE guard",
    "ref": "prepared-cache/linux-src plus vulnerable fuse.ko negative source transform",
    "display": "Prepared Linux 6.18.18 source/build cache; vulnerable fuse.ko lacks the oversized-dirent cache guard"
  },
  "variant_target": {
    "target_kind": "linux_kernel_source",
    "commit_sha": "3318f10fa28986dc5767444de585e00369c4ace3",
    "version": "v6.18.18 with tested fuse_add_dirent_to_cache reclen > PAGE_SIZE guard",
    "ref": "refs/tags/v6.18.18^{} plus local fixed-module guard equivalent to upstream fix 51a8de6c50bf947c8f534cd73da4c8f0a13e7bed",
    "display": "Prepared Linux 6.18.18 QEMU kernel with fixed fuse.ko negative control"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "local_only",
  "validated_surface": "local_only",
  "required_entrypoint_kind": "local_kernel_runtime",
  "required_entrypoint_detail": "Attacker-controlled FUSE daemon negotiates FUSE_DO_READDIRPLUS and answers a kernel FUSE_READDIRPLUS request with an oversized direntplus record containing an embedded dirent with namelen=4095.",
  "attacker_controlled_input": "FUSE_READDIRPLUS reply containing struct fuse_direntplus; embedded dirent.namelen=4095 and overflow payload at the page-boundary offset of the embedded dirent name.",
  "trigger_path": "uid 1000 FUSE daemon -> getdents64 on FUSE directory -> fuse_readdir_uncached selects FUSE_READDIRPLUS -> parse_dirplusfile -> fuse_emit -> fuse_add_dirent_to_cache -> vulnerable memcpy of FUSE_DIRENT_SIZE(dirent)=4120 into one page -> /etc/passwd page-cache first line changed on vulnerable module; fixed module returns before memcpy.",
  "observed_impact_class": "privilege_escalation_on_vulnerable_alternate_trigger_no_fixed_bypass",
  "exploitability_confidence": "high_for_vulnerable_alternate_trigger",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "not_a_bypass_fixed_module_blocks_alternate_readdirplus_path",
  "blocking_mitigation": "Sink-level guard in fs/fuse/readdir.c:fuse_add_dirent_to_cache(): if (reclen > PAGE_SIZE) return;",
  "file_path": "fs/fuse/readdir.c",
  "line_start": 32,
  "line_end": 88,
  "secondary_anchors": [
    {
      "file_path": "fs/fuse/readdir.c",
      "line_start": 114,
      "line_end": 123
    },
    {
      "file_path": "fs/fuse/readdir.c",
      "line_start": 293,
      "line_end": 326
    },
    {
      "file_path": "fs/fuse/readdir.c",
      "line_start": 334,
      "line_end": 377
    },
    {
      "file_path": "include/uapi/linux/fuse.h",
      "line_start": 1054,
      "line_end": 1078
    }
  ],
  "review_scope_paths": [
    "fs/fuse/readdir.c",
    "fs/fuse/file.c",
    "fs/fuse/inode.c",
    "include/uapi/linux/fuse.h",
    "Documentation/process/security-bugs.rst",
    "MAINTAINERS"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/readdirplus_variant.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/fuse_readdirplus_lpe.c"
    ]
  }
}
