Agabhin

**Name of the Vulnerable Software and Affected Versions** libfuse versions 3.18.0 through 3.18.1 **Description** libfuse, the reference implementation of the Linux FUSE, contains a flaw in the `fuse uring init queue` function. A NULL pointer dereference and memory leak can occur when setting up the io uring queue, specifically when `numa alloc local` fails. This can lead to a local user crashing the FUSE daemon or causing resource exhaustion. The traditional /dev/fuse path is not affected; only the io uring transport is vulnerable. **Recommendations** Update to version 3.18.2 or later.

**Name of the Vulnerable Software and Affected Versions** libfuse versions 3.18.0 through 3.18.1 **Description** libfuse, the reference implementation of the Linux FUSE, contains a flaw in its io uring subsystem. A use-after-free condition exists from versions 3.18.0 up to, but not including, 3.18.2. This occurs when the creation of an io uring thread fails due to resource limitations, such as those imposed by cgroup pids.max. Specifically, the `fuse uring start()` function frees the ring pool structure but retains a pointer to it within the session state. This dangling pointer is then dereferenced during session shutdown, resulting in a use-after-free. The issue is reliably triggered in containerized environments where cgroup pids.max limits thread creation. **Recommendations** Update to libfuse version 3.18.2 or later.