CVE-2026-33179

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7	Patch
https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2	Product Release Notes
https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 21:17

Updated : 2026-03-27 21:20

NVD link : CVE-2026-33179

Mitre link : CVE-2026-33179

CVE.ORG link : CVE-2026-33179

JSON object : View

Products Affected

libfuse_project

libfuse

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-33179", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-20T21:17:16.593", "references": [{"url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."}, {"lang": "es", "value": "libfuse es la implementaci\u00f3n de referencia de FUSE de Linux. Desde la versi\u00f3n 3.18.0 hasta antes de la versi\u00f3n 3.18.2, una desreferencia de puntero NULL y una fuga de memoria en fuse_uring_init_queue permiten a un usuario local bloquear el demonio FUSE o causar agotamiento de recursos. Cuando numa_alloc_local falla durante la configuraci\u00f3n de la entrada de la cola io_uring, el c\u00f3digo procede con punteros NULL. Cuando fuse_uring_register_queue falla, las asignaciones NUMA se filtran y la funci\u00f3n devuelve \u00e9xito incorrectamente. Solo el transporte io_uring se ve afectado; la ruta tradicional /dev/fuse no se ve afectada. PoC confirmado con AddressSanitizer/LeakSanitizer. Este problema ha sido parcheado en la versi\u00f3n 3.18.2."}], "lastModified": "2026-03-27T21:20:47.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83EF6E3E-F5F2-4CE2-B497-62493DAB2A1F", "versionEndExcluding": "3.18.2", "versionStartIncluding": "3.18.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}