CVE-2026-33150
Received Received - Intake
Use-After-Free in libfuse io_uring Enables Local Code Execution

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33150
EUVD
EUVD-2026-13786
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libfuse_project libfuse From 3.18.0 (inc) to 3.18.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33150 is a use-after-free vulnerability in the io_uring subsystem of libfuse versions 3.18.0 to before 3.18.2. It occurs when the function fuse_uring_start() fails to create an io_uring thread due to resource exhaustion, such as cgroup pids.max limits. In this error path, the fuse_ring structure is freed but the pointer to it is mistakenly kept in the session state, leading to a dangling pointer.'}, {'type': 'paragraph', 'content': "Later, when the FUSE session shuts down, the cleanup code accesses this freed memory, causing a use-after-free condition. This can crash FUSE filesystem processes and potentially allow an attacker to execute arbitrary code by manipulating the freed memory during the session's lifetime."}, {'type': 'paragraph', 'content': 'The vulnerability is reliably triggered in containerized environments where thread creation is limited by cgroup pids.max. It affects any application using libfuse 3.18.0 or newer with io_uring transport enabled.'}] [2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can cause denial of service by crashing any FUSE filesystem process using io_uring transport. Because FUSE daemons typically run with root privileges, exploitation can lead to privilege escalation.'}, {'type': 'paragraph', 'content': "An attacker can exploit the use-after-free by reallocating the freed memory with attacker-controlled data during the session's lifetime. Upon session shutdown, the destructor interprets this data as internal structure fields and performs operations such as free(), close(), and pthread_cancel() on attacker-influenced values, enabling arbitrary code execution."}, {'type': 'paragraph', 'content': 'Containerized environments, especially Kubernetes CSI drivers, are particularly vulnerable due to the common use of cgroup pids.max limits that trigger this bug.'}] [3]

Compliance Impact

I don't know

Detection Guidance

This vulnerability occurs in libfuse versions 3.18.0 to before 3.18.2 when the io_uring transport is enabled. Detection involves verifying the libfuse version and whether io_uring transport is in use.

You can check the installed libfuse version with the following command:

  • fusermount --version

Or check the package version via your package manager, for example on Debian-based systems:

  • dpkg -l | grep libfuse

To detect if the vulnerable io_uring transport is enabled or in use, you may need to inspect the FUSE filesystem mount options or the application configuration that uses libfuse with io_uring.

Since the vulnerability is triggered by resource exhaustion such as cgroup pids.max limits, monitoring container or system logs for crashes of FUSE filesystem processes or unusual thread creation failures can also help detect exploitation attempts.

No specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade libfuse to version 3.18.2 or later, where the vulnerability has been patched by properly nullifying pointers after free operations and adding necessary NULL checks.

If upgrading immediately is not possible, consider disabling the io_uring transport in libfuse-based applications or avoid running them in containerized environments with strict cgroup pids.max limits that trigger the bug.

Monitoring and limiting resource exhaustion conditions that cause io_uring thread creation failures can reduce the likelihood of triggering the vulnerability.

Additionally, review and apply any vendor or distribution security advisories related to libfuse and io_uring.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33150. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart