Skip to content
Verified Linux kernel FUSE readdir cache out-of-bounds write
REPRO-2026-00221 Privilege Escalation Jul 3, 2026 .txt
Severity HIGH
Confidence HIGH
Reproduced in 63m 5s
Tool calls 393
Spend $18.52
$ pruva-verify REPRO-2026-00221
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00221/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

A missing bounds check in the Linux kernel FUSE readdir cache allows a malicious FUSE server to overflow a page-cache page by 24 bytes. In fs/fuse/readdir.c, fuse_add_dirent_to_cache() computes the serialized directory-entry size from the server-controlled namelen field and copies it into a single page-cache page. The check offset + reclen > PAGE_SIZE only handles records that do not fit in the remaining space of the current page; it does not reject records larger than PAGE_SIZE itself. After the FUSE_NAME_MAX increase to PATH_MAX-1 (4095) in Linux 6.16 (commit 27992ef80770d), a FUSE daemon can return a dirent with namelen=4095, producing a 4120-byte record that overflows a 4 KiB page by 24 bytes into the adjacent kernel page. This can be exploited for unprivileged local privilege escalation by corrupting the page-cache copy of /etc/passwd. Affected versions are reachable from v6.16 through v7.0-rc and stable branches before their respective fixes. Reproduction uses the public PoC at https://github.com/0xCyberstan/CVE-2026-31694-POC inside a QEMU/KVM VM running a vulnerable kernel.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md1.3 KB
bundle/ticket.json2.5 KB
bundle/repro/build_initramfs.sh1.9 KB
bundle/repro/fix.patch0.4 KB
bundle/repro/fuse-vuln.ko748.8 KB
bundle/repro/fuse-fixed.ko748.8 KB
bundle/repro/fuse_evil.c19.0 KB
bundle/repro/fuse_evil835.5 KB
bundle/repro/validation_verdict.json0.9 KB
bundle/repro/fuse_passwd_lpe.c17.0 KB
bundle/repro/build_lpe_initramfs.sh1.9 KB
bundle/repro/fuse-nokasan-vuln.ko399.7 KB
bundle/repro/fuse-nokasan-fixed.ko399.9 KB
bundle/repro/runtime_manifest.json1.0 KB
bundle/repro/passwd.seed0.1 KB
bundle/repro/init.rootfs0.9 KB
bundle/logs/reproduction_steps.log10.1 KB
bundle/logs/qemu_vuln_attempt1.log30.1 KB
bundle/logs/qemu_vuln_attempt2.log30.1 KB
bundle/logs/qemu_vuln_attempt3.log30.4 KB
bundle/logs/qemu_vuln_attempt4.log30.2 KB
bundle/logs/qemu_vuln_attempt5.log30.1 KB
bundle/logs/qemu_fixed_attempt1.log25.1 KB
bundle/logs/qemu_fixed_attempt2.log0.3 KB
bundle/logs/test_lpe_vuln.log24.7 KB
bundle/logs/test_lpe_v709.log29.4 KB
bundle/logs/test_lpe_v709b.log29.1 KB
bundle/logs/test_lpe_kasan_target.log25.2 KB
bundle/logs/test_lpe_fixed.log25.0 KB
bundle/logs/test_active_rootfs_vuln.log25.6 KB
bundle/logs/test_nokasan_vuln.log25.1 KB
bundle/logs/qemu_lpe_vuln_attempt1.log25.4 KB
bundle/logs/qemu_lpe_vuln_attempt2.log25.3 KB
bundle/logs/qemu_lpe_fixed_attempt1.log24.9 KB
bundle/logs/qemu_lpe_fixed_attempt2.log24.9 KB
bundle/logs/vuln_variant/readdirplus_variant.log6.6 KB
bundle/logs/vuln_variant/qemu_readdirplus_vuln.log26.4 KB
bundle/logs/vuln_variant/qemu_readdirplus_fixed.log25.8 KB
bundle/logs/vuln_variant/fixed_version.txt1.1 KB
bundle/logs/vuln_variant/artifact_hashes.txt0.5 KB
bundle/vuln_variant/fuse_readdirplus_lpe.c18.6 KB
bundle/vuln_variant/runtime_manifest.json1.1 KB
bundle/vuln_variant/fuse-readdirplus-vuln.ko399.7 KB
bundle/vuln_variant/fuse-readdirplus-fixed.ko399.9 KB
bundle/vuln_variant/passwd.seed0.1 KB
bundle/vuln_variant/init.readdirplus1.0 KB
bundle/vuln_variant/patch_analysis.md6.7 KB
bundle/vuln_variant/variant_manifest.json4.1 KB
bundle/vuln_variant/validation_verdict.json2.4 KB
bundle/vuln_variant/source_identity.json2.0 KB
bundle/vuln_variant/root_cause_equivalence.json1.3 KB
bundle/repro/rca_report.md9.7 KB
bundle/repro/reproduction_steps.sh15.6 KB
bundle/vuln_variant/reproduction_steps.sh10.7 KB
bundle/vuln_variant/rca_report.md10.5 KB