CVE-2026-33179

Name	CVE-2026-33179
Description	libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
fuse3 (PTS)	bullseye	3.10.3-2	fixed
	bookworm	3.14.0-4	fixed
	trixie	3.17.2-3	fixed
	forky	3.18.1-1	vulnerable
	sid	3.18.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
fuse3	source	bullseye	(not affected)
fuse3	source	bookworm	(not affected)
fuse3	source	trixie	(not affected)
fuse3	source	(unstable)	3.18.2-1

Notes

[trixie] - fuse3 <not-affected> (Vulnerable code introduced later)
[bookworm] - fuse3 <not-affected> (Vulnerable code introduced later)
[bullseye] - fuse3 <not-affected> (Vulnerable code introduced later)
https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
Fixed by: https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7 (fuse-3.18.2)