{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33179", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.720Z", "datePublished": "2026-03-20T20:20:09.171Z", "dateUpdated": "2026-03-25T13:55:45.971Z"}, "containers": {"cna": {"title": "libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358"}, {"name": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7", "tags": ["x_refsource_MISC"], "url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7"}, {"name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"}], "affected": [{"vendor": "libfuse", "product": "libfuse", "versions": [{"version": ">= 3.18.0, < 3.18.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:20:09.171Z"}, "descriptions": [{"lang": "en", "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."}], "source": {"advisory": "GHSA-x669-v3mq-r358", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:55:38.887586Z", "id": "CVE-2026-33179", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:55:45.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33179", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:55:38.887586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:55:42.459Z"}}], "cna": {"title": "libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization", "source": {"advisory": "GHSA-x669-v3mq-r358", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "libfuse", "product": "libfuse", "versions": [{"status": "affected", "version": ">= 3.18.0, < 3.18.2"}]}], "references": [{"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358", "name": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7", "name": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2", "name": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:20:09.171Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33179", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:55:45.971Z", "dateReserved": "2026-03-17T22:16:36.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T20:20:09.171Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*", "matchCriteriaId": "83EF6E3E-F5F2-4CE2-B497-62493DAB2A1F", "versionEndExcluding": "3.18.2", "versionStartIncluding": "3.18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."}, {"lang": "es", "value": "libfuse es la implementaci\u00f3n de referencia de FUSE de Linux. Desde la versi\u00f3n 3.18.0 hasta antes de la versi\u00f3n 3.18.2, una desreferencia de puntero NULL y una fuga de memoria en fuse_uring_init_queue permiten a un usuario local bloquear el demonio FUSE o causar agotamiento de recursos. Cuando numa_alloc_local falla durante la configuraci\u00f3n de la entrada de la cola io_uring, el c\u00f3digo procede con punteros NULL. Cuando fuse_uring_register_queue falla, las asignaciones NUMA se filtran y la funci\u00f3n devuelve \u00e9xito incorrectamente. Solo el transporte io_uring se ve afectado; la ruta tradicional /dev/fuse no se ve afectada. PoC confirmado con AddressSanitizer/LeakSanitizer. Este problema ha sido parcheado en la versi\u00f3n 3.18.2."}], "id": "CVE-2026-33179", "lastModified": "2026-03-27T21:20:47.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T21:17:16.593", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "libfuse: libfuse: Denial of Service via NULL pointer dereference and memory leak", "id": "2449775", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449775"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in libfuse. A local user can exploit a NULL pointer dereference and memory leak vulnerability during the setup of the `io_uring` input/output mechanism. This can occur when memory allocation or queue registration fails, leading to the FUSE daemon crashing or resource exhaustion. This vulnerability results in a Denial of Service (DoS)."], "name": "CVE-2026-33179", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "fuse", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "fuse-sshfs", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2026-03-20T20:20:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33179\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33179\nhttps://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7\nhttps://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2\nhttps://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.18.0,3.18.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "libfuse", "source": "cna", "vendor": "libfuse"}, "product": "libfuse", "vendor": "libfuse"}], "analysis": {"en": {"generated_at": "2026-03-28T05:42:33.929429+00:00", "value": {"mitigation_remediation": ["Update libfuse to version 3.18.2 or later to apply the vendor patch", "If an upgrade is not immediately possible, configure the system to use the traditional /dev/fuse transport instead of io_uring", "After updating, verify that the FUSE daemon can start without crashes and monitor for any abnormal resource usage", "Ensure that only trusted users have the ability to mount filesystems that use the io_uring transport"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects libfuse versions 3.18.0 up to, but not including, 3.18.2. Only the io_uring transport path is impacted; the traditional /dev/fuse interface remains safe. The affected product is the libfuse reference implementation used on Linux systems.", "description_and_impact": "The vulnerability in libfuse occurs during io_uring queue initialization when the code incorrectly handles failures from NUMA allocation or queue registration. A NULL pointer is dereferenced, and memory allocated during the process is not freed if registration fails, leading to a crash of the FUSE daemon or resource exhaustion. The flaw is a classic null pointer dereference and memory leak (CWE\u2011476).", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. Attackers must be able to run code locally on the target machine to trigger the fault, typically by creating or manipulating a filesystem that uses io_uring. If exploited, the daemon would crash or run out of memory, effectively disabling the FUSE mount for the local user."}}}}, "created": "2026-03-23T09:52:44.708867+00:00", "updated": "2026-03-29T20:28:53.968744+00:00", "vendors": ["libfuse", "libfuse$PRODUCT$libfuse"]}