Improper Input Validation in FuseFS File System by FreeBSD
CVE-2026-45252

5.5MEDIUM

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-45252?

The FuseFS file system in FreeBSD is susceptible to an improper input validation vulnerability. When handling extended attributes, the kernel sends a request to a userspace daemon via a FUSE_LISTXATTR message. This interaction requires the daemon to craft a list of NUL-terminated strings. However, the kernel module fails to verify that the entire list is properly NUL-terminated before processing it. As a result, if a malicious daemon sends a list without proper termination, this could lead to out-of-bounds reads and writes, allowing potential disclosure of sensitive kernel memory and the injection of attacker-controlled bytes into the kernel heap.

Affected Version(s)

FreeBSD 15.0-RELEASE

FreeBSD 14.4-RELEASE

FreeBSD 14.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:20....

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 11, 2026

Credit

Joshua Rogers of AISLE Research Team

CVE-2026-45252 Data

JSON