DEBIAN-CVE-2026-33179

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-33179
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33179.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-33179
Upstream
Published
2026-03-20T21:17:16.593Z
Modified
2026-04-28T20:32:45.953974Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuseuringinitqueue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numaalloclocal fails during iouring queue entry setup, the code proceeds with NULL pointers. When fuseuringregisterqueue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the iouring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.

References

Affected packages

Debian:14 / fuse3

Package

Name
fuse3
Purl
pkg:deb/debian/fuse3?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.18.2-1

Affected versions

3.*
3.17.2-3
3.17.3-1
3.17.4-1
3.18.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33179.json"