CVE-2026-33150
Published: 20 March 2026
Summary
CVE-2026-33150 is a high-severity Use After Free (CWE-416) vulnerability in Libfuse Project Libfuse. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-33150 is a use-after-free vulnerability in the io_uring subsystem of libfuse, the reference implementation of the Linux FUSE (Filesystem in Userspace). It affects versions 3.18.0 through 3.18.1. The flaw occurs when io_uring thread creation fails due to resource exhaustion, such as cgroup pids.max limits; in this case, fuse_uring_start() frees the ring pool structure but retains a dangling pointer in the session state, leading to a use-after-free during session shutdown. Classified as CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it enables local attackers to crash FUSE filesystem processes and potentially execute arbitrary code.
A local attacker with low privileges can exploit this vulnerability reliably, particularly in containerized environments where cgroup pids.max constraints commonly trigger the thread creation failure. By inducing the resource exhaustion condition and triggering session shutdown, the attacker causes the use-after-free, which can result in denial of service via process crashes or escalation to arbitrary code execution with the privileges of the affected FUSE process.
The issue has been addressed in libfuse version 3.18.2, as detailed in the project's security advisory (GHSA-qxv7-xrc2-qmfx), release notes, and the patching commit (49fcd891a58f622c098e2ca67d66086f7b213836). Security practitioners should upgrade to 3.18.2 or later and review deployments using io_uring-enabled FUSE filesystems in containers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13786
Vulnerability details
libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When…
more
io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in libfuse io_uring enables arbitrary code execution with the privileges of the FUSE process, directly mapping to exploitation for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability in libfuse's io_uring subsystem by requiring timely patching to version 3.18.2 or later.
Implements memory protection mechanisms like ASLR and DEP that hinder reliable exploitation of the dangling pointer use-after-free during FUSE session shutdown.
Enforces least privilege on FUSE filesystem processes to limit the impact of potential arbitrary code execution from the local attacker's exploitation.