CVE-2026-33150

Published: Mar 20, 2026

Modified: Mar 27, 2026

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.

Vendor	Product	Versions
libfuse	libfuse	affected `>= 3.18.0, < 3.18.2`

Weaknesses (CWE)

CWE-416

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx

x_refsource_CONFIRM

https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836

x_refsource_MISC

https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33150

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References