Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAK3hNHZzPyQaJL4y4CToEma7DFjEGREK4rz-53mx7DNc23dwqw@mail.gmail.com>
Date: Wed, 25 Mar 2026 01:37:52 -0700
From: Abhinav Agarwal <abhinavagarwal1996@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety
 vulnerabilities (use-after-free, NULL deref)

Following up with a detailed writeup covering root cause analysis,
exploitation surface, and proof of concept for both CVEs:

https://abhinavagarwal07.github.io/posts/ringwraith/

Key points beyond the original advisory:
- The UAF (CVE-2026-33150) is triggered by pthread_create failure or
  io_uring_queue_init_params failure, not by the CVE-2026-33179 sub-bugs
- Container resource limits (cgroup pids.max, RLIMIT_NPROC) reliably
  cause pthread_create failure in the io_uring startup path
- CVE-2026-33179 has two independent sub-bugs: NULL deref on
  numa_alloc_local failure, and error-swallowed-as-success causing a
  filesystem hang; neither chains into the UAF in the shipped code

Regards,
Abhinav Agarwal


On Fri, Mar 20, 2026 at 6:24 PM Abhinav Agarwal
<abhinavagarwal1996@...il.com> wrote:
>
> Two memory safety vulnerabilities in libfuse's io_uring code path
> (introduced in 3.18.0) have been fixed in libfuse 3.18.2. Only the
> io_uring transport is affected; the traditional /dev/fuse path is not.
>
> Affected versions: libfuse >= 3.18.0, < 3.18.2
> Fixed in: libfuse 3.18.2
>   https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2
>
>
> CVE-2026-33150: Use-After-Free
> Severity: High (CVSS 7.8)
> CWE: CWE-416
>
> Use-after-free in io_uring session shutdown path. A local user can
> crash the FUSE daemon or potentially execute arbitrary code.
>
> Advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx
> Fix: https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836
> Credit: Abhinav Agarwal (reporter)
> Remediation review: Akshat Sinha
>
>
> CVE-2026-33179: NULL Pointer Dereference + Memory Leak
> Severity: Moderate (CVSS 5.5)
> CWE: CWE-476
>
> Missing NULL checks and error-path cleanup in io_uring queue
> initialization can crash the FUSE daemon on allocation failure
> and leak NUMA memory.
>
> Advisory: https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
> Fix: https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7
> Credit: Abhinav Agarwal (reporter)
> Remediation review: Akshat Sinha
>
>
> Both issues were reported privately to the libfuse maintainer
> and fixed in a coordinated release.
>
> Timeline:
>   2026-03-16  first issue reported libfuse maintainer
>   2026-03-17  second issue reported libfuse maintainer
>   2026-03-18  Release 3.18.2 with fixes
>   2026-03-19  GHSA advisories published

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.