CVE-2026-33150

Name of the Vulnerable Software and Affected Versions libfuse versions 3.18.0 through 3.18.1

Description libfuse, the reference implementation of the Linux FUSE, contains a flaw in its io uring subsystem. A use-after-free condition exists from versions 3.18.0 up to, but not including, 3.18.2. This occurs when the creation of an io uring thread fails due to resource limitations, such as those imposed by cgroup pids.max. Specifically, the fuse uring start() function frees the ring pool structure but retains a pointer to it within the session state. This dangling pointer is then dereferenced during session shutdown, resulting in a use-after-free. The issue is reliably triggered in containerized environments where cgroup pids.max limits thread creation.

Recommendations Update to libfuse version 3.18.2 or later.