Libfuse Project Libfuse vulnerabilities

CVE-2026-33150 [HIGH] CWE-416 CVE-2026-33150: libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.1 libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids

CVE-2026-33179 [MEDIUM] CWE-476 CVE-2026-33179: libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.1 libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. Wh

CVE-2010-3879 [MEDIUM] CVE-2010-3879: FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.