libfuse io_uring Vulnerabilities - Critical Memory Flaws Found
Basically, two bugs in a software library could let bad actors crash systems or run harmful code.
Two critical memory safety vulnerabilities were discovered in libfuse's io_uring code path. These flaws could lead to crashes or arbitrary code execution. Immediate updates are advised.
The Flaw
Two significant memory safety vulnerabilities have been identified in the libfuse library's io_uring code path. The first, identified as CVE-2026-33150, is a use-after-free vulnerability that can potentially allow a local user to crash the FUSE daemon or execute arbitrary code. This flaw was introduced in version 3.18.0 of libfuse and has a high severity rating of 7.8 on the CVSS scale.
The second vulnerability, CVE-2026-33179, is a NULL pointer dereference that can lead to crashes during the initialization of the io_uring queue. This issue, while rated moderate with a CVSS score of 5.5, can still disrupt service and leak memory resources.
What's at Risk
The vulnerabilities primarily affect versions of libfuse from 3.18.0 to just below 3.18.2. The traditional /dev/fuse path remains unaffected, limiting the scope of these vulnerabilities. However, users relying on the io_uring transport could face significant operational disruptions, including potential data loss and unauthorized access.
Exploiting these vulnerabilities could allow attackers to disrupt services or gain control over systems, making it crucial for users to address these issues promptly.
Patch Status
Both vulnerabilities have been addressed in the recent release of libfuse 3.18.2, which was made available on March 18, 2026. Users are strongly encouraged to upgrade to this version to mitigate risks associated with these vulnerabilities. The fixes were part of a coordinated effort with advisories published shortly after the vulnerabilities were reported.
For those interested in the technical details, the fixes can be found in the respective commits linked in the advisories. It's essential to stay updated on such vulnerabilities to ensure system integrity and security.
Immediate Actions
To protect your systems from these vulnerabilities, follow these steps:
- Upgrade to libfuse version 3.18.2 or later immediately.
- Review your systems for any signs of abnormal behavior that could indicate exploitation attempts.
- Monitor security advisories for any further updates or related vulnerabilities.
By taking these actions, you can help safeguard your systems against potential exploits stemming from these memory safety vulnerabilities.