Search criteria
3 vulnerabilities by libfuse_project
CVE-2026-33150 (GCVE-0-2026-33150)
Vulnerability from cvelistv5 – Published: 2026-03-20 20:20 – Updated: 2026-03-27 03:55
VLAI
Title
Use After Free in libfuse
Summary
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
Severity
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/libfuse/libfuse/security/advis… | x_refsource_CONFIRM |
| https://github.com/libfuse/libfuse/commit/49fcd89… | x_refsource_MISC |
| https://github.com/libfuse/libfuse/releases/tag/f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T03:55:40.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libfuse",
"vendor": "libfuse",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.18.0, \u003c 3.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:20:29.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx"
},
{
"name": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836"
},
{
"name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"
}
],
"source": {
"advisory": "GHSA-qxv7-xrc2-qmfx",
"discovery": "UNKNOWN"
},
"title": "Use After Free in libfuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33150",
"datePublished": "2026-03-20T20:20:29.963Z",
"dateReserved": "2026-03-17T21:17:08.885Z",
"dateUpdated": "2026-03-27T03:55:40.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33179 (GCVE-0-2026-33179)
Vulnerability from cvelistv5 – Published: 2026-03-20 20:20 – Updated: 2026-03-25 13:55
VLAI
Title
libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization
Summary
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
Severity
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/libfuse/libfuse/security/advis… | x_refsource_CONFIRM |
| https://github.com/libfuse/libfuse/commit/7beb86c… | x_refsource_MISC |
| https://github.com/libfuse/libfuse/releases/tag/f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:55:38.887586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:55:45.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libfuse",
"vendor": "libfuse",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.18.0, \u003c 3.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:20:09.171Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358"
},
{
"name": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7"
},
{
"name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"
}
],
"source": {
"advisory": "GHSA-x669-v3mq-r358",
"discovery": "UNKNOWN"
},
"title": "libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33179",
"datePublished": "2026-03-20T20:20:09.171Z",
"dateReserved": "2026-03-17T22:16:36.720Z",
"dateUpdated": "2026-03-25T13:55:45.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2010-3879 (GCVE-0-2010-3879)
Vulnerability from cvelistv5 – Published: 2011-01-22 21:00 – Updated: 2024-08-07 03:26
VLAI
Summary
FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
20 references
Date Public
2010-11-02 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:26:11.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.halfdog.net/Security/FuseTimerace/"
},
{
"name": "USN-1045-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1045-1"
},
{
"name": "42965",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42965"
},
{
"name": "fuse-fusermount-tool-dos(62986)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62986"
},
{
"name": "20101102 fusermount: Unmount any filesystem",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077247.html"
},
{
"name": "[oss-security] 20101104 CVE request: fuse",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/11/04/8"
},
{
"name": "ADV-2011-0302",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0302"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.novell.com/show_bug.cgi?id=651598"
},
{
"name": "ADV-2011-0181",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0181"
},
{
"name": "SUSE-SR:2011:005",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=651183"
},
{
"name": "42961",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42961"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/670622"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333"
},
{
"name": "44623",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/44623"
},
{
"name": "[oss-security] 20101105 Re: CVE request: fuse",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/11/05/2"
},
{
"name": "USN-1045-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1045-2"
},
{
"name": "FEDORA-2011-0854",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053792.html"
},
{
"name": "70520",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/70520"
},
{
"name": "MDVSA-2013:155",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-11-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.halfdog.net/Security/FuseTimerace/"
},
{
"name": "USN-1045-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1045-1"
},
{
"name": "42965",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42965"
},
{
"name": "fuse-fusermount-tool-dos(62986)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62986"
},
{
"name": "20101102 fusermount: Unmount any filesystem",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077247.html"
},
{
"name": "[oss-security] 20101104 CVE request: fuse",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/11/04/8"
},
{
"name": "ADV-2011-0302",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0302"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.novell.com/show_bug.cgi?id=651598"
},
{
"name": "ADV-2011-0181",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0181"
},
{
"name": "SUSE-SR:2011:005",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=651183"
},
{
"name": "42961",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42961"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/bugs/670622"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333"
},
{
"name": "44623",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/44623"
},
{
"name": "[oss-security] 20101105 Re: CVE request: fuse",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/11/05/2"
},
{
"name": "USN-1045-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1045-2"
},
{
"name": "FEDORA-2011-0854",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053792.html"
},
{
"name": "70520",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/70520"
},
{
"name": "MDVSA-2013:155",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:155"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3879",
"datePublished": "2011-01-22T21:00:00.000Z",
"dateReserved": "2010-10-08T00:00:00.000Z",
"dateUpdated": "2024-08-07T03:26:11.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}