CVE-2026-53167 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already in the page cache and not wait for data from the FUSE daemon, treat !uptodate folios as if they weren't present.
This only has security impact on systems that don't enable automatic zero-initialization of all page allocations via CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability in the Linux kernel relates to improper handling of FUSE_NOTIFY_RETRIEVE operations within the Filesystem in Userspace (FUSE) subsystem. This flaw exists in how the kernel processes retrieve notifications for FUSE filesystems, specifically when dealing with page cache entries that may contain uninitialized data. The issue stems from the kernel's failure to properly validate the state of folios before processing FUSE_NOTIFY_RETRIEVE requests, potentially exposing sensitive information through uninitialized memory contents.
The technical implementation flaw occurs within the FUSE subsystem where the kernel does not adequately check whether folios are in an uptodate state before processing data retrieval operations. When folios are marked as !uptodate, they may contain uninitialized data from previous allocations or kernel memory operations. The vulnerability manifests because the system treats all folios equally regardless of their initialization status, allowing potential information leakage through FUSE_NOTIFY_RETRIEVE operations that should only return data already present in the page cache.
The operational impact of this vulnerability is significant for systems lacking automatic zero-initialization of page allocations. Without CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1 enabled, uninitialized memory pages can retain data from previous operations, creating potential information disclosure risks. Attackers could potentially exploit this weakness to extract sensitive data from kernel memory regions that should remain isolated, particularly when the FUSE subsystem is actively processing retrieve notifications for filesystem operations.
This vulnerability aligns with CWE-248, which addresses "Uncaught Exception" in operating systems where improper handling of memory states leads to information disclosure. The flaw also relates to ATT&CK technique T1552.001, "Credentials In Files", as uninitialized memory could contain sensitive credentials or cryptographic keys that were previously stored in the same memory regions. Additionally, it connects to T1068, "Exploitation for Privilege Escalation", as information disclosure could facilitate further exploitation attempts against kernel memory.
The mitigation strategy focuses on implementing proper validation of folio states before processing FUSE_NOTIFY_RETRIEVE operations. The fix requires ensuring that only uptodate folios are considered for data retrieval, effectively treating !uptodate folios as non-existent within the context of this operation. System administrators should also consider enabling automatic zero-initialization of page allocations through CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1 to provide additional defense-in-depth against similar memory-related vulnerabilities.
The security implications extend beyond simple information disclosure, as uninitialized memory could contain remnants of sensitive operations including cryptographic keys, authentication tokens, or other confidential data. This vulnerability demonstrates the critical importance of proper memory state validation in kernel subsystems where access to uninitialized memory could lead to cascading security issues. The fix addresses both the immediate concern of information leakage and reinforces proper kernel memory management practices that prevent similar vulnerabilities from manifesting in other subsystems.
Systems with automatic zero-initialization enabled are protected from this specific vulnerability as uninitialized memory is automatically cleared before reuse, eliminating the risk of data exposure through FUSE_NOTIFY_RETRIEVE operations. This highlights the importance of enabling security-hardening kernel configuration options and demonstrates how seemingly minor implementation details can create significant security risks when dealing with kernel memory management and filesystem operations. The vulnerability serves as a reminder that even specialized subsystems like FUSE require rigorous validation of memory states to prevent information disclosure attacks.