Description
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
Published: 2026-03-20
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in libfuse occurs during io_uring queue initialization when the code incorrectly handles failures from NUMA allocation or queue registration. A NULL pointer is dereferenced, and memory allocated during the process is not freed if registration fails, leading to a crash of the FUSE daemon or resource exhaustion. The flaw is a classic null pointer dereference and memory leak (CWE‑476).

Affected Systems

The issue affects libfuse versions 3.18.0 up to, but not including, 3.18.2. Only the io_uring transport path is impacted; the traditional /dev/fuse interface remains safe. The affected product is the libfuse reference implementation used on Linux systems.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. Attackers must be able to run code locally on the target machine to trigger the fault, typically by creating or manipulating a filesystem that uses io_uring. If exploited, the daemon would crash or run out of memory, effectively disabling the FUSE mount for the local user.

Generated by OpenCVE AI on March 28, 2026 at 05:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libfuse to version 3.18.2 or later to apply the vendor patch
  • If an upgrade is not immediately possible, configure the system to use the traditional /dev/fuse transport instead of io_uring
  • After updating, verify that the FUSE daemon can start without crashes and monitor for any abnormal resource usage
  • Ensure that only trusted users have the ability to mount filesystems that use the io_uring transport

Generated by OpenCVE AI on March 28, 2026 at 05:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Libfuse Project
Libfuse Project libfuse
CPEs cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*
Vendors & Products Libfuse Project
Libfuse Project libfuse

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Libfuse
Libfuse libfuse
Vendors & Products Libfuse
Libfuse libfuse

Fri, 20 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
Title libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Libfuse Libfuse
Libfuse Project Libfuse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:55:45.971Z

Reserved: 2026-03-17T22:16:36.720Z

Link: CVE-2026-33179

cve-icon Vulnrichment

Updated: 2026-03-25T13:55:42.459Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:16.593

Modified: 2026-03-27T21:20:47.880

Link: CVE-2026-33179

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T20:20:09Z

Links: CVE-2026-33179 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:53Z

Weaknesses