FKIE_CVE-2026-33150

Vulnerability from fkie_nvd - Published: 2026-03-20 21:17 - Updated: 2026-03-23 19:16
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
References
security-advisories@github.comhttps://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836Patch
security-advisories@github.comhttps://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2Product, Release Notes
security-advisories@github.comhttps://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfxVendor Advisory
Impacted products
Vendor Product Version
libfuse_project libfuse *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "83EF6E3E-F5F2-4CE2-B497-62493DAB2A1F",
              "versionEndExcluding": "3.18.2",
              "versionStartIncluding": "3.18.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2."
    },
    {
      "lang": "es",
      "value": "libfuse es la implementaci\u00f3n de referencia de FUSE de Linux. Desde la versi\u00f3n 3.18.0 hasta antes de la versi\u00f3n 3.18.2, una vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n en el subsistema io_uring de libfuse permite a un atacante local colapsar procesos del sistema de archivos FUSE y potencialmente ejecutar c\u00f3digo arbitrario. Cuando la creaci\u00f3n de hilos de io_uring falla debido al agotamiento de recursos (por ejemplo, cgroup pids.max), fuse_uring_start() libera la estructura del pool de anillos pero almacena el puntero colgante en el estado de la sesi\u00f3n, lo que lleva a un uso despu\u00e9s de liberaci\u00f3n cuando la sesi\u00f3n se cierra. El disparador es fiable en entornos contenerizados donde los l\u00edmites de cgroup pids.max restringen naturalmente la creaci\u00f3n de hilos. Este problema ha sido parcheado en la versi\u00f3n 3.18.2."
    }
  ],
  "id": "CVE-2026-33150",
  "lastModified": "2026-03-23T19:16:14.717",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T21:17:15.410",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.