CVE-2026-33179
NULL Pointer Dereference and Memory Leak in libfuse io_uring
Publication date: 2026-03-20
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libfuse_project | libfuse | From 3.18.0 (inc) to 3.18.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33179 is a vulnerability in libfuse's io_uring subsystem, specifically in the function fuse_uring_init_queue. It involves two main bugs: first, the code does not check if memory allocation via numa_alloc_local() succeeds, and if it fails, it continues using NULL pointers, leading to a NULL pointer dereference. Second, when fuse_uring_register_queue() fails, the function incorrectly returns success without freeing allocated memory, causing a memory leak. These bugs can cause the FUSE daemon to crash or exhaust system resources."}, {'type': 'paragraph', 'content': 'The issue affects only the io_uring transport mechanism and not the traditional /dev/fuse interface. Proper error handling was missing, which has been fixed in later versions by returning errors immediately and ensuring cleanup of allocated resources.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can be exploited by a local user to cause a denial of service by crashing the FUSE daemon or causing resource exhaustion through memory leaks. The NULL pointer dereference can lead to daemon crashes, while the memory leak can consume system resources, potentially degrading system performance or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves a NULL pointer dereference and memory leak in the fuse_uring_init_queue function of libfuse's io_uring transport. Detection can focus on monitoring the FUSE daemon for crashes or resource exhaustion symptoms caused by this issue."}, {'type': 'paragraph', 'content': 'Since the issue occurs during io_uring queue initialization, you can check the version of libfuse installed to see if it falls within the vulnerable range (3.18.0 to before 3.18.2).'}, {'type': 'paragraph', 'content': 'Commands to help detect the vulnerability or its effects include:'}, {'type': 'list_item', 'content': 'Check libfuse version: `fusermount --version` or `dpkg -l | grep libfuse`'}, {'type': 'list_item', 'content': 'Monitor FUSE daemon logs for crashes or errors related to io_uring queue initialization, e.g., `journalctl -u fuse-daemon` or relevant system logs.'}, {'type': 'list_item', 'content': 'Use tools like AddressSanitizer or LeakSanitizer if you can reproduce the issue in a test environment to detect NULL pointer dereferences or memory leaks.'}, {'type': 'list_item', 'content': 'Monitor system resource usage for unusual memory leaks or daemon crashes that could indicate exploitation.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade libfuse to version 3.18.2 or later, where the vulnerability has been patched with proper error handling and resource cleanup.
Until an upgrade is possible, consider limiting local user access to the system or restricting the use of the io_uring transport mechanism in libfuse, as the traditional /dev/fuse path is not affected.
Monitor the FUSE daemon for crashes or resource exhaustion and restart it if necessary to recover from potential exploitation.
Apply any available security advisories or patches from your Linux distribution or libfuse maintainers as soon as they become available.