CVE-2026-33179 — NULL Pointer Dereference in Project Libfuse

CWE-476 — NULL Pointer Dereference6 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 98.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libfuse Project Libfuse Libfuse

Timeline

PublishedMar 20

Description

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDlibfuse_project/libfuse3.18.0 — 3.18.2

▶CVEListV5libfuse/libfuse>= 3.18.0, < 3.18.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

libfuse: NULL Pointer Dereference and Memory Leak in io_uring Queue Initialization↗2026-03-20

▶

OSV

CVE-2026-33179: libfuse is the reference implementation of the Linux FUSE↗2026-03-20

▶

📋Vendor Advisories

Red Hat

libfuse: libfuse: Denial of Service via NULL pointer dereference and memory leak↗2026-03-20

▶

Debian

CVE-2026-33179: fuse3 - libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 t...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33179 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶