CVE-2026-33150

{"id": "CVE-2026-33150", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-20T21:17:15.410", "references": [{"url": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2."}, {"lang": "es", "value": "libfuse es la implementaci\u00f3n de referencia de FUSE de Linux. Desde la versi\u00f3n 3.18.0 hasta antes de la versi\u00f3n 3.18.2, una vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n en el subsistema io_uring de libfuse permite a un atacante local colapsar procesos del sistema de archivos FUSE y potencialmente ejecutar c\u00f3digo arbitrario. Cuando la creaci\u00f3n de hilos de io_uring falla debido al agotamiento de recursos (por ejemplo, cgroup pids.max), fuse_uring_start() libera la estructura del pool de anillos pero almacena el puntero colgante en el estado de la sesi\u00f3n, lo que lleva a un uso despu\u00e9s de liberaci\u00f3n cuando la sesi\u00f3n se cierra. El disparador es fiable en entornos contenerizados donde los l\u00edmites de cgroup pids.max restringen naturalmente la creaci\u00f3n de hilos. Este problema ha sido parcheado en la versi\u00f3n 3.18.2."}], "lastModified": "2026-03-23T19:16:14.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83EF6E3E-F5F2-4CE2-B497-62493DAB2A1F", "versionEndExcluding": "3.18.2", "versionStartIncluding": "3.18.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}