Skip to main content

Red Hat EUVD-2026-13786

| CVE-2026-33150 HIGH
Use After Free (CWE-416)
2026-03-20 GitHub_M
Memory Corruption RCE Denial Of Service Use After Free Red Hat Suse
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.18.2
PoC Detected
Mar 23, 2026 - 19:16 vuln.today
Public exploit code
EUVD ID Assigned
Mar 20, 2026 - 20:46 euvd
EUVD-2026-13786
Analysis Generated
Mar 20, 2026 - 20:46 vuln.today
CVE Published
Mar 20, 2026 - 20:20 nvd
HIGH 7.8

DescriptionGitHub Advisory

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.

AnalysisAI

libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exhaust cgroup pids.max limit
Delivery
Trigger io_uring thread creation failure
Exploit
Free ring pool with dangling pointer
Execution
Access freed memory on session shutdown
Impact
Execute arbitrary code with FUSE process privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Local attacker with low-privilege access to system running libfuse versions 3.18.0–3.18.1 with io_uring enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 score of 7.8 (High) reflects significant impact potential with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirement but low attack complexity and low privilege requirements with high impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local user access to a containerized environment running a FUSE filesystem on vulnerable libfuse versions could trigger resource exhaustion by consuming available process slots up to the cgroup pids.max limit. When the FUSE daemon attempts to initialize io_uring and fails to create new threads, the use-after-free condition is triggered. …
Remediation Upgrade libfuse to version 3.18.2 or later immediately, as documented in the release notes at https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all systems running libfuse 3.18.0 or 3.18.1 using package inventory tools and assess their role in production FUSE filesystem operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed

Share

EUVD-2026-13786 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy