CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref)
嗯,用户发来了一段邮件内容,看起来是关于libfuse的两个漏洞的公告。他让我用中文帮他总结一下,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头,直接写描述。 首先,我需要理解邮件的内容。邮件提到了两个漏洞:CVE-2026-33150和CVE-2026-33179。这两个漏洞都是在libfuse的io_uring代码路径中发现的内存安全问题。影响版本是3.18.0到3.18.2之前的版本,已经修复于3.18.2。 第一个漏洞是Use-After-Free,严重程度高,CVSS评分7.8,可能导致FUSE守护进程崩溃或代码执行。第二个漏洞是NULL指针解引用加上内存泄漏,严重程度中等,CVSS评分5.5,可能导致守护进程崩溃和内存泄漏。 漏洞是由Abhinav Agarwal报告的,并且在协调下发布了修复版本。时间线显示报告和修复的时间很接近。 接下来,我需要将这些信息浓缩到一百个字以内。重点包括:libfuse 3.18.0到3.18.2之前的io_uring路径中的两个内存安全漏洞被修复;具体漏洞类型及其影响;以及修复版本和时间。 可能的结构是:libfuse 3.18.x中的io_uring路径修复了两个内存安全漏洞(Use-After-Free和NULL指针解引用+内存泄漏),影响版本>=3.18.0且<3.18.2,在3.18.2中修复。 这样既涵盖了主要信息,又控制在了字数限制内。 </think> libfuse 3.18.x版本中修复了io_uring代码路径的两个内存安全漏洞(Use-After-Free和NULL指针解引用+内存泄漏),影响范围为>=3.18.0且<3.18.2的版本,在3.18.2中已修复。 2026-3-29 03:9:5 Author: seclists.org(查看原文) 阅读量:0 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Abhinav Agarwal <abhinavagarwal1996 () gmail com>
Date: Fri, 20 Mar 2026 18:41:03 -0700
Two memory safety vulnerabilities in libfuse's io_uring code path
(introduced in 3.18.0) have been fixed in libfuse 3.18.2. Only the
io_uring transport is affected; the traditional /dev/fuse path is not.

Affected versions: libfuse >= 3.18.0, < 3.18.2
Fixed in: libfuse 3.18.2
  https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2


CVE-2026-33150: Use-After-Free
Severity: High (CVSS 7.8)
CWE: CWE-416

Use-after-free in io_uring session shutdown path. A local user can
crash the FUSE daemon or potentially execute arbitrary code.

Advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx
Fix: https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836
Credit: Abhinav Agarwal (reporter)
Remediation review: Akshat Sinha


CVE-2026-33179: NULL Pointer Dereference + Memory Leak
Severity: Moderate (CVSS 5.5)
CWE: CWE-476

Missing NULL checks and error-path cleanup in io_uring queue
initialization can crash the FUSE daemon on allocation failure
and leak NUMA memory.

Advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
Fix: https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7
Credit: Abhinav Agarwal (reporter)
Remediation review: Akshat Sinha


Both issues were reported privately to the libfuse maintainer
and fixed in a coordinated release.

Timeline:
  2026-03-16  Use-after-free vulnerability reported to libfuse maintainer
  2026-03-17  NULL deref vulnerability reported to libfuse maintainer
  2026-03-18  Release 3.18.2 with fixes
  2026-03-19  GHSA advisories published (CVE-2026-33150, CVE-2026-33179)

--
Abhinav Agarwal
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) Abhinav Agarwal (Mar 28)

文章来源: https://seclists.org/fulldisclosure/2026/Mar/12
如有侵权请联系:admin#unsafe.sh