CVE-2026-33179
Received Received - Intake

NULL Pointer Dereference and Memory Leak in libfuse io_uring

Vulnerability report for CVE-2026-33179, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-20

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-20
Last Modified
2026-03-27
Generated
2026-07-06
AI Q&A
2026-03-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libfuse_project libfuse From 3.18.0 (inc) to 3.18.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33179 is a vulnerability in libfuse's io_uring subsystem, specifically in the function fuse_uring_init_queue. It involves two main bugs: first, the code does not check if memory allocation via numa_alloc_local() succeeds, and if it fails, it continues using NULL pointers, leading to a NULL pointer dereference. Second, when fuse_uring_register_queue() fails, the function incorrectly returns success without freeing allocated memory, causing a memory leak. These bugs can cause the FUSE daemon to crash or exhaust system resources."}, {'type': 'paragraph', 'content': 'The issue affects only the io_uring transport mechanism and not the traditional /dev/fuse interface. Proper error handling was missing, which has been fixed in later versions by returning errors immediately and ensuring cleanup of allocated resources.'}] [1, 2]

Impact Analysis

This vulnerability can be exploited by a local user to cause a denial of service by crashing the FUSE daemon or causing resource exhaustion through memory leaks. The NULL pointer dereference can lead to daemon crashes, while the memory leak can consume system resources, potentially degrading system performance or availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves a NULL pointer dereference and memory leak in the fuse_uring_init_queue function of libfuse's io_uring transport. Detection can focus on monitoring the FUSE daemon for crashes or resource exhaustion symptoms caused by this issue."}, {'type': 'paragraph', 'content': 'Since the issue occurs during io_uring queue initialization, you can check the version of libfuse installed to see if it falls within the vulnerable range (3.18.0 to before 3.18.2).'}, {'type': 'paragraph', 'content': 'Commands to help detect the vulnerability or its effects include:'}, {'type': 'list_item', 'content': 'Check libfuse version: `fusermount --version` or `dpkg -l | grep libfuse`'}, {'type': 'list_item', 'content': 'Monitor FUSE daemon logs for crashes or errors related to io_uring queue initialization, e.g., `journalctl -u fuse-daemon` or relevant system logs.'}, {'type': 'list_item', 'content': 'Use tools like AddressSanitizer or LeakSanitizer if you can reproduce the issue in a test environment to detect NULL pointer dereferences or memory leaks.'}, {'type': 'list_item', 'content': 'Monitor system resource usage for unusual memory leaks or daemon crashes that could indicate exploitation.'}] [1, 2]

Mitigation Strategies

The primary mitigation is to upgrade libfuse to version 3.18.2 or later, where the vulnerability has been patched with proper error handling and resource cleanup.

Until an upgrade is possible, consider limiting local user access to the system or restricting the use of the io_uring transport mechanism in libfuse, as the traditional /dev/fuse path is not affected.

Monitor the FUSE daemon for crashes or resource exhaustion and restart it if necessary to recover from potential exploitation.

Apply any available security advisories or patches from your Linux distribution or libfuse maintainers as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33179. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart