JustAppSec
Back to news

libfuse patches io_uring use-after-free and daemon crash bugs

2 min readPublished 21 Mar 2026Source: Openwall oss-security mailing list
CVE-2026-33150CVE-2026-33179NewsLinuxMemory Safety

TL;DR — If you use libfuse’s io_uring transport, follow upstream remediation guidance and update to libfuse 3.18.2 (the fixed release called out in the disclosure).

What happened

An oss-security post discloses two memory-safety vulnerabilities in libfuse’s io_uring code path, which the author states was introduced in 3.18.0 and is fixed in libfuse 3.18.2. The disclosure emphasizes that only the io_uring transport is affected and that the traditional /dev/fuse path is not.

  • CVE-2026-33150 (High, CVSS 7.8): a use-after-free in the io_uring session shutdown path; the post states a local user can crash the FUSE daemon or potentially execute arbitrary code.
  • CVE-2026-33179 (Moderate, CVSS 5.5): NULL pointer dereference + memory leak due to missing NULL checks and error-path cleanup during io_uring queue initialization; the post states this can crash the FUSE daemon on allocation failure and leak NUMA memory.

This matters because FUSE is common in modern platform stacks (containers, dev environments, and storage/mount helpers), and io_uring-based fast paths can become a sharp edge: a “local” memory safety bug is still a meaningful risk in shared hosts and multi-tenant runner environments.

Who is impacted

  • Systems using libfuse >= 3.18.0, < 3.18.2.
  • Deployments that specifically enable or rely on the io_uring transport (the post states /dev/fuse is not impacted).
IssueSeverity (per disclosure)Affected versions (per disclosure)Fixed version (per disclosure)
Use-after-free in io_uring shutdown (CVE-2026-33150)High (CVSS 7.8)>= 3.18.0, < 3.18.23.18.2
NULL deref + memory leak in io_uring init (CVE-2026-33179)Moderate (CVSS 5.5)>= 3.18.0, < 3.18.23.18.2

What to do now

  • Update to libfuse 3.18.2 (the fixed release referenced in the disclosure).
  • Inventory where libfuse is deployed in production hosts/images and determine whether the io_uring transport is in use (as opposed to /dev/fuse).
  • Treat unexplained FUSE daemon crashes as a security signal until patched: review crash reports/core dumps and correlate with local user/process activity.
  • In shared-host / multi-tenant environments, reduce exposure by limiting which principals can trigger FUSE mounts or interact with FUSE daemons.

Additional Information

  • Release referenced by the disclosure: fuse-3.18.2.
  • Upstream advisories referenced by the disclosure: GHSA-qxv7-xrc2-qmfx and GHSA-x669-v3mq-r358.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.