CVE-2026-33150
Use-After-Free in libfuse io_uring Enables Local Code Execution
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libfuse_project | libfuse | From 3.18.0 (inc) to 3.18.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33150 is a use-after-free vulnerability in the io_uring subsystem of libfuse versions 3.18.0 to before 3.18.2. It occurs when the function fuse_uring_start() fails to create an io_uring thread due to resource exhaustion, such as cgroup pids.max limits. In this error path, the fuse_ring structure is freed but the pointer to it is mistakenly kept in the session state, leading to a dangling pointer.'}, {'type': 'paragraph', 'content': "Later, when the FUSE session shuts down, the cleanup code accesses this freed memory, causing a use-after-free condition. This can crash FUSE filesystem processes and potentially allow an attacker to execute arbitrary code by manipulating the freed memory during the session's lifetime."}, {'type': 'paragraph', 'content': 'The vulnerability is reliably triggered in containerized environments where thread creation is limited by cgroup pids.max. It affects any application using libfuse 3.18.0 or newer with io_uring transport enabled.'}] [2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can cause denial of service by crashing any FUSE filesystem process using io_uring transport. Because FUSE daemons typically run with root privileges, exploitation can lead to privilege escalation.'}, {'type': 'paragraph', 'content': "An attacker can exploit the use-after-free by reallocating the freed memory with attacker-controlled data during the session's lifetime. Upon session shutdown, the destructor interprets this data as internal structure fields and performs operations such as free(), close(), and pthread_cancel() on attacker-influenced values, enabling arbitrary code execution."}, {'type': 'paragraph', 'content': 'Containerized environments, especially Kubernetes CSI drivers, are particularly vulnerable due to the common use of cgroup pids.max limits that trigger this bug.'}] [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in libfuse versions 3.18.0 to before 3.18.2 when the io_uring transport is enabled. Detection involves verifying the libfuse version and whether io_uring transport is in use.
You can check the installed libfuse version with the following command:
- fusermount --version
Or check the package version via your package manager, for example on Debian-based systems:
- dpkg -l | grep libfuse
To detect if the vulnerable io_uring transport is enabled or in use, you may need to inspect the FUSE filesystem mount options or the application configuration that uses libfuse with io_uring.
Since the vulnerability is triggered by resource exhaustion such as cgroup pids.max limits, monitoring container or system logs for crashes of FUSE filesystem processes or unusual thread creation failures can also help detect exploitation attempts.
No specific detection commands or signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade libfuse to version 3.18.2 or later, where the vulnerability has been patched by properly nullifying pointers after free operations and adding necessary NULL checks.
If upgrading immediately is not possible, consider disabling the io_uring transport in libfuse-based applications or avoid running them in containerized environments with strict cgroup pids.max limits that trigger the bug.
Monitoring and limiting resource exhaustion conditions that cause io_uring thread creation failures can reduce the likelihood of triggering the vulnerability.
Additionally, review and apply any vendor or distribution security advisories related to libfuse and io_uring.