Description
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw exists in libfuse’s io_uring subsystem. When thread creation fails, the ring pool structure is freed while a dangling pointer remains in session state. During cleanup this pointer is dereferenced, allowing a local attacker to crash the filesystem process or, if they control memory, execute arbitrary code. The issue maps to CWE‑416 (Use After Free) and CWE‑825 (Use of Uninitialized Variable).

Affected Systems

The vulnerability affects libfuse versions from 3.18.0 up to, but not including, 3.18.2. All Linux systems running the default FUSE reference implementation and using io_uring for file system operations are impacted. The patch is available in libfuse 3.18.2 and later.

Risk and Exploitability

The CVSS base score is 7.8, indicating high severity. EPSS is below 1% and the vulnerability is not listed in the CISA KEV catalog, marking it as low probability of exploitation. The attack vector is local; exploitation requires an attacker with access to the host or a container running the vulnerable FUSE instance, especially in environments where cgroup pids.max limits thread creation. Successful exploitation can result in application crashes or arbitrary code execution with the privileges of the FUSE process.

Generated by OpenCVE AI on March 26, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libfuse to version 3.18.2 or newer.

Generated by OpenCVE AI on March 26, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Libfuse Project
Libfuse Project libfuse
CPEs cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*
Vendors & Products Libfuse Project
Libfuse Project libfuse

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Libfuse
Libfuse libfuse
Vendors & Products Libfuse
Libfuse libfuse

Fri, 20 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
Title Use After Free in libfuse
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Libfuse Libfuse
Libfuse Project Libfuse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T03:55:40.426Z

Reserved: 2026-03-17T21:17:08.885Z

Link: CVE-2026-33150

cve-icon Vulnrichment

Updated: 2026-03-24T18:52:37.326Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:15.410

Modified: 2026-03-23T19:16:14.717

Link: CVE-2026-33150

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T20:20:29Z

Links: CVE-2026-33150 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:29Z

Weaknesses