Skip to main content

Red Hat CVE-2026-33179

| EUVDEUVD-2026-13794 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-20 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch available
Apr 16, 2026 - 05:29 EUVD
3.18.2
PoC Detected
Mar 27, 2026 - 21:20 vuln.today
Public exploit code
EUVD ID Assigned
Mar 20, 2026 - 20:46 euvd
EUVD-2026-13794
Analysis Generated
Mar 20, 2026 - 20:46 vuln.today
CVE Published
Mar 20, 2026 - 20:20 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.

AnalysisAI

libfuse versions 3.18.0 through 3.18.1 contain a NULL pointer dereference and memory leak vulnerability in the fuse_uring_init_queue function that affects only the io_uring transport implementation. A local user with low privileges can trigger this vulnerability to crash the FUSE daemon or exhaust system resources through repeated exploitation. A proof-of-concept has been confirmed with AddressSanitizer and LeakSanitizer, demonstrating both the NULL dereference condition and memory leak when numa_alloc_local or fuse_uring_register_queue fail.

Technical ContextAI

libfuse is the reference implementation of the Linux FUSE (Filesystem in Userspace) interface, enabling unprivileged users to create custom filesystems without kernel modification. The vulnerability exists specifically in the io_uring transport layer introduced in version 3.18.0, which provides an alternative high-performance path to the traditional /dev/fuse character device. The root cause is classified under CWE-476 (NULL Pointer Dereference), occurring in the fuse_uring_init_queue function where NUMA memory allocation (numa_alloc_local) and io_uring queue registration (fuse_uring_register_queue) lack proper error handling. When numa_alloc_local fails, the function proceeds with NULL pointers without validation; when fuse_uring_register_queue fails, allocated NUMA memory is not freed and the function incorrectly returns success, creating both a crash vector and a resource exhaustion vector.

RemediationAI

Immediately upgrade libfuse to version 3.18.2 or later, which contains the fix committed at https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7. For systems unable to upgrade immediately, restrict local system access to trusted users only and disable io_uring transport by ensuring the traditional /dev/fuse path is used for FUSE operations if possible (the traditional path is not affected by this vulnerability). Monitor system logs for FUSE daemon crashes or unexpected resource consumption that might indicate exploitation attempts. Verify the upgrade by checking the libfuse version post-patching using appropriate package management tools and confirming that io_uring queue initialization errors no longer result in NULL pointer dereferences or memory leaks.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed

Share

CVE-2026-33179 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy