CVE-2026-33179

Name of the Vulnerable Software and Affected Versions libfuse versions 3.18.0 through 3.18.1

Description libfuse, the reference implementation of the Linux FUSE, contains a flaw in the fuse uring init queue function. A NULL pointer dereference and memory leak can occur when setting up the io uring queue, specifically when numa alloc local fails. This can lead to a local user crashing the FUSE daemon or causing resource exhaustion. The traditional /dev/fuse path is not affected; only the io uring transport is vulnerable.

Recommendations Update to version 3.18.2 or later.