[FD] CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref)

[Abhinav Agarwal <abhinavagarwal1996@xxxxxxxxx>]

Two memory safety vulnerabilities in libfuse's io_uring code path
(introduced in 3.18.0) have been fixed in libfuse 3.18.2. Only the
io_uring transport is affected; the traditional /dev/fuse path is not.

Affected versions: libfuse >= 3.18.0, < 3.18.2
Fixed in: libfuse 3.18.2
  https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2


CVE-2026-33150: Use-After-Free
Severity: High (CVSS 7.8)
CWE: CWE-416

Use-after-free in io_uring session shutdown path. A local user can
crash the FUSE daemon or potentially execute arbitrary code.

Advisory: 
https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx
Fix: 
https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836
Credit: Abhinav Agarwal (reporter)
Remediation review: Akshat Sinha


CVE-2026-33179: NULL Pointer Dereference + Memory Leak
Severity: Moderate (CVSS 5.5)
CWE: CWE-476

Missing NULL checks and error-path cleanup in io_uring queue
initialization can crash the FUSE daemon on allocation failure
and leak NUMA memory.

Advisory: 
https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
Fix: 
https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7
Credit: Abhinav Agarwal (reporter)
Remediation review: Akshat Sinha


Both issues were reported privately to the libfuse maintainer
and fixed in a coordinated release.

Timeline:
  2026-03-16  Use-after-free vulnerability reported to libfuse maintainer
  2026-03-17  NULL deref vulnerability reported to libfuse maintainer
  2026-03-18  Release 3.18.2 with fixes
  2026-03-19  GHSA advisories published (CVE-2026-33150, CVE-2026-33179)

--
Abhinav Agarwal
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/