CVE-2026-45252

CVE-2026-45252 is a medium-severity vulnerability in Freebsd with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-122.

Key facts

Description

When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.

Frequently asked questions

What is CVE-2026-45252?
When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.
How severe is CVE-2026-45252?
CVE-2026-45252 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability high.
Is CVE-2026-45252 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-45252?
CVE-2026-45252 primarily affects Freebsd. In total, 29 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2026-45252?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-45252 have an EU (EUVD) identifier?
Yes. CVE-2026-45252 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31254.
When was CVE-2026-45252 published?
CVE-2026-45252 was published on 2026-05-21 and last updated on 2026-06-17.

References

Affected products (29)

More vulnerabilities in Freebsd

All CVEs affecting Freebsd →

Other CWE-122 (Heap-based Buffer Overflow) vulnerabilities

Browse all CWE-122 (Heap-based Buffer Overflow) vulnerabilities →