CVE-2026-33179
- Source
- https://cve.org/CVERecord?id=CVE-2026-33179
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33179.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-33179
- Aliases
-
- GHSA-x669-v3mq-r358
- Downstream
- Published
- 2026-03-20T20:20:09.171Z
- Modified
- 2026-05-14T03:52:51.812748868Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization
- Details
-
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuseuringinitqueue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numaalloclocal fails during iouring queue entry setup, the code proceeds with NULL pointers. When fuseuringregisterqueue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the iouring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33179.json", "cwe_ids": [ "CWE-476" ] }- References
-
- https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33179.json
- https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
- https://nvd.nist.gov/vuln/detail/CVE-2026-33179
- https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7