Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for libfuse by libfuse
CVE-2026-33179 (GCVE-0-2026-33179)
Vulnerability from nvd – Published: 2026-03-20 20:20 – Updated: 2026-03-25 13:55
VLAI
Title
libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization
Summary
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/libfuse/libfuse/security/advis… | x_refsource_CONFIRM |
| https://github.com/libfuse/libfuse/commit/7beb86c… | x_refsource_MISC |
| https://github.com/libfuse/libfuse/releases/tag/f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:55:38.887586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:55:45.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libfuse",
"vendor": "libfuse",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.18.0, \u003c 3.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:20:09.171Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358"
},
{
"name": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7"
},
{
"name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"
}
],
"source": {
"advisory": "GHSA-x669-v3mq-r358",
"discovery": "UNKNOWN"
},
"title": "libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33179",
"datePublished": "2026-03-20T20:20:09.171Z",
"dateReserved": "2026-03-17T22:16:36.720Z",
"dateUpdated": "2026-03-25T13:55:45.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33150 (GCVE-0-2026-33150)
Vulnerability from nvd – Published: 2026-03-20 20:20 – Updated: 2026-03-27 03:55
VLAI
Title
Use After Free in libfuse
Summary
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/libfuse/libfuse/security/advis… | x_refsource_CONFIRM |
| https://github.com/libfuse/libfuse/commit/49fcd89… | x_refsource_MISC |
| https://github.com/libfuse/libfuse/releases/tag/f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T03:55:40.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libfuse",
"vendor": "libfuse",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.18.0, \u003c 3.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:20:29.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx"
},
{
"name": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836"
},
{
"name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"
}
],
"source": {
"advisory": "GHSA-qxv7-xrc2-qmfx",
"discovery": "UNKNOWN"
},
"title": "Use After Free in libfuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33150",
"datePublished": "2026-03-20T20:20:29.963Z",
"dateReserved": "2026-03-17T21:17:08.885Z",
"dateUpdated": "2026-03-27T03:55:40.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33150 (GCVE-0-2026-33150)
Vulnerability from cvelistv5 – Published: 2026-03-20 20:20 – Updated: 2026-03-27 03:55
VLAI
Title
Use After Free in libfuse
Summary
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/libfuse/libfuse/security/advis… | x_refsource_CONFIRM |
| https://github.com/libfuse/libfuse/commit/49fcd89… | x_refsource_MISC |
| https://github.com/libfuse/libfuse/releases/tag/f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T03:55:40.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libfuse",
"vendor": "libfuse",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.18.0, \u003c 3.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:20:29.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx"
},
{
"name": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836"
},
{
"name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"
}
],
"source": {
"advisory": "GHSA-qxv7-xrc2-qmfx",
"discovery": "UNKNOWN"
},
"title": "Use After Free in libfuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33150",
"datePublished": "2026-03-20T20:20:29.963Z",
"dateReserved": "2026-03-17T21:17:08.885Z",
"dateUpdated": "2026-03-27T03:55:40.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33179 (GCVE-0-2026-33179)
Vulnerability from cvelistv5 – Published: 2026-03-20 20:20 – Updated: 2026-03-25 13:55
VLAI
Title
libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization
Summary
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/libfuse/libfuse/security/advis… | x_refsource_CONFIRM |
| https://github.com/libfuse/libfuse/commit/7beb86c… | x_refsource_MISC |
| https://github.com/libfuse/libfuse/releases/tag/f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:55:38.887586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:55:45.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libfuse",
"vendor": "libfuse",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.18.0, \u003c 3.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:20:09.171Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358"
},
{
"name": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7"
},
{
"name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"
}
],
"source": {
"advisory": "GHSA-x669-v3mq-r358",
"discovery": "UNKNOWN"
},
"title": "libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33179",
"datePublished": "2026-03-20T20:20:09.171Z",
"dateReserved": "2026-03-17T22:16:36.720Z",
"dateUpdated": "2026-03-25T13:55:45.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}