Use-After-Free Vulnerability in libfuse Affecting Linux Implementations
CVE-2026-33150

7.8HIGH

Key Information:

Vendor

Libfuse

Status
Libfuse
Vendor
CVE Published:
20 March 2026

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2026-33150?

CVE-2026-33150 is a use-after-free vulnerability found in the libfuse library, which serves as the reference implementation for the Linux Filesystem in Userspace (FUSE). This library enables users to create their own filesystems in user space rather than kernel space, providing a convenient way for developers to implement custom filesystems without altering the kernel. The vulnerability exists in the io_uring subsystem of libfuse versions 3.18.0 to before 3.18.2. When the io_uring thread creation fails due to resource limitations, the system inadvertently frees memory associated with the thread's ring pool structure while still holding onto a reference to it. This oversight can lead to a use-after-free condition, allowing local attackers to crash FUSE filesystem processes, potentially leading to arbitrary code execution. Such an exploit could pose significant risks in environments where resource limits are enforced, such as containerized setups, thereby affecting the overall security and stability of affected systems.

Potential impact of CVE-2026-33150

  1. System Crashes: Exploitation of this vulnerability can lead to crashes of FUSE filesystem processes, disrupting services that rely on those filesystems. This could result in downtime for applications and systems, affecting availability and operational continuity.

  2. Arbitrary Code Execution: Given the nature of the use-after-free vulnerability, an attacker could execute arbitrary code within the context of the affected processes. This could be leveraged to escalate privileges or compromise the integrity of the system, leading to unauthorized access to sensitive data.

  3. Increased Attack Surface in Container Environments: The issue is particularly relevant in containerized environments where cgroup limits are enforced, making it easier for attackers to trigger the vulnerability. This increases the vulnerability of environments that utilize FUSE for mounting filesystems, heightening the overall risk profile for organizations leveraging container technology.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

libfuse >= 3.18.0, < 3.18.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

abhinavagarwal07.github.io
Created by abhinavagarwal07

References

https://github.com/libfuse/libfuse/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/libfuse/libfuse/commit/49fcd891a58f622...
x_refsource_MISC
https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.