libfuse io_uring 内存安全深度解析：UAF 与 NULL Deref 漏洞剖析

libfuse io_uring 内存安全深度解析：UAF 与 NULL Deref 漏洞剖析
嗯，用户让我总结一下这篇文章的内容，控制在100字以内，而且不需要用“文章内容总结”之类的开头。首先，我需要仔细阅读邮件内容，找出关键信息。邮件中提到Abhinav Agarwal报告了libfuse中的两个漏洞，分别是CVE-2026-33150和CVE-2026-33179。这两个漏洞都与io_uring代码路径有关，影响版本是3.18.0到3.18.2之前的版本。修复版本是3.18.2。接下来，我需要理解每个漏洞的细节。CVE-2026-33150是一个用后释放（UAF）漏洞，严重性高，CVSS评分7.8。触发条件包括pthread_create或io_uring_queue_init_params失败，尤其是容器资源限制可能导致pthread_create失败。这个漏洞可能导致FUSE守护进程崩溃或代码执行。然后是CVE-2026-33179，这是一个空指针解引用和内存泄漏问题，严重性中等，CVSS评分5.5。它有两个子问题：numa_alloc_local失败时的空指针解引用和错误处理不当导致的文件系统挂起。这两个问题在当前代码中不会导致UAF。时间线方面，问题在3月16日和17日报告给维护者，并在3月18日发布修复版本， advisories在3月19日发布。现在需要将这些信息浓缩到100字以内。重点包括：libfuse io_uring中的两个漏洞（UAF和空指针），影响版本范围，触发条件如资源限制和pthread_create失败，以及修复版本和时间线。最后检查字数是否符合要求，并确保语言简洁明了。 </think> Abhinav Agarwal报告了libfuse io_uring代码路径中的两个内存安全漏洞：CVE-2026-33150（用后释放）和CVE-2026-33179（空指针解引用+内存泄漏），影响libfuse 3.18.0至3.18.2版本。 CVE-2026-33150由pthread_create或io_uring初始化失败触发；CVE-2026-33179涉及numa分配失败的空指针解引用及错误处理不当。两者已通过libfuse 3.18.2修复。 2026-3-25 15:31:0 Author: seclists.org(查看原文) 阅读量:0 收藏

oss-sec mailing list archives

From: Abhinav Agarwal <abhinavagarwal1996 () gmail com>
Date: Wed, 25 Mar 2026 01:37:52 -0700

Following up with a detailed writeup covering root cause analysis,
exploitation surface, and proof of concept for both CVEs:

https://abhinavagarwal07.github.io/posts/ringwraith/

Key points beyond the original advisory:
- The UAF (CVE-2026-33150) is triggered by pthread_create failure or
  io_uring_queue_init_params failure, not by the CVE-2026-33179 sub-bugs
- Container resource limits (cgroup pids.max, RLIMIT_NPROC) reliably
  cause pthread_create failure in the io_uring startup path
- CVE-2026-33179 has two independent sub-bugs: NULL deref on
  numa_alloc_local failure, and error-swallowed-as-success causing a
  filesystem hang; neither chains into the UAF in the shipped code

Regards,
Abhinav Agarwal


On Fri, Mar 20, 2026 at 6:24 PM Abhinav Agarwal
<abhinavagarwal1996 () gmail com> wrote:


Two memory safety vulnerabilities in libfuse's io_uring code path
(introduced in 3.18.0) have been fixed in libfuse 3.18.2. Only the
io_uring transport is affected; the traditional /dev/fuse path is not.

Affected versions: libfuse >= 3.18.0, < 3.18.2
Fixed in: libfuse 3.18.2
  https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2


CVE-2026-33150: Use-After-Free
Severity: High (CVSS 7.8)
CWE: CWE-416

Use-after-free in io_uring session shutdown path. A local user can
crash the FUSE daemon or potentially execute arbitrary code.

Advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx
Fix: https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836
Credit: Abhinav Agarwal (reporter)
Remediation review: Akshat Sinha


CVE-2026-33179: NULL Pointer Dereference + Memory Leak
Severity: Moderate (CVSS 5.5)
CWE: CWE-476

Missing NULL checks and error-path cleanup in io_uring queue
initialization can crash the FUSE daemon on allocation failure
and leak NUMA memory.

Advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
Fix: https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7
Credit: Abhinav Agarwal (reporter)
Remediation review: Akshat Sinha


Both issues were reported privately to the libfuse maintainer
and fixed in a coordinated release.

Timeline:
  2026-03-16  first issue reported libfuse maintainer
  2026-03-17  second issue reported libfuse maintainer
  2026-03-18  Release 3.18.2 with fixes
  2026-03-19  GHSA advisories published

Current thread:

CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) Abhinav Agarwal (Mar 20)
- Re: CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) Abhinav Agarwal (Mar 25)

文章来源: https://seclists.org/oss-sec/2026/q1/386
如有侵权请联系:admin#unsafe.sh