CVE-2026-45252 FreeBSD CVE debrief

Who should care

FreeBSD administrators and operators who use fusefs, especially where a FUSE daemon may be untrusted or exposed to attacker-controlled input. Kernel and platform security teams should prioritize systems that mount FUSE filesystems with extended attributes enabled.

Technical summary

The flaw is in fusefs LISTXATTR processing. The kernel receives a daemon-provided buffer containing the extended-attribute names and assumes the buffer is a packed NUL-terminated list. Because the code invokes strlen() before validating termination, a malformed response can make the kernel read past one heap buffer and potentially write past a second heap buffer. The described consequences are kernel heap information disclosure and heap corruption in the FreeBSD fusefs path.

Defensive priority

High for affected FreeBSD systems using fusefs with extended attributes enabled; lower exposure where fusefs is unused or no untrusted FUSE daemon can influence responses.

Recommended defensive actions

• Review whether fusefs is enabled and used on FreeBSD systems, especially with extended attributes.
• Apply the vendor fix from the referenced FreeBSD security advisory as soon as it is available for your release branch.
• Restrict or harden any FUSE daemons that can serve content to the kernel, particularly in multi-tenant or untrusted environments.
• Treat any abnormal fusefs behavior, kernel panics, or unexpected xattr activity as high-priority investigation items until patched.
• If you operate security baselines or configuration management, add fusefs xattr handling to your patch verification and rollback checks.

Evidence notes

All impact details in this debrief come from the provided CVE description. NVD lists the vulnerability as received and cites the FreeBSD security advisory FreeBSD-SA-26:20.fusefs.asc as the reference source. No CVSS vector was provided in the supplied corpus, so no severity score is inferred here.

Official resources