Following up with a detailed writeup covering root cause analysis, exploitation surface, and proof of concept for both CVEs:
https://abhinavagarwal07.github.io/posts/ringwraith/ Key points beyond the original advisory: - The UAF (CVE-2026-33150) is triggered by pthread_create failure or io_uring_queue_init_params failure, not by the CVE-2026-33179 sub-bugs - Container resource limits (cgroup pids.max, RLIMIT_NPROC) reliably cause pthread_create failure in the io_uring startup path - CVE-2026-33179 has two independent sub-bugs: NULL deref on numa_alloc_local failure, and error-swallowed-as-success causing a filesystem hang; neither chains into the UAF in the shipped code Regards, Abhinav Agarwal On Fri, Mar 20, 2026 at 6:24 PM Abhinav Agarwal <[email protected]> wrote: > > Two memory safety vulnerabilities in libfuse's io_uring code path > (introduced in 3.18.0) have been fixed in libfuse 3.18.2. Only the > io_uring transport is affected; the traditional /dev/fuse path is not. > > Affected versions: libfuse >= 3.18.0, < 3.18.2 > Fixed in: libfuse 3.18.2 > https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2 > > > CVE-2026-33150: Use-After-Free > Severity: High (CVSS 7.8) > CWE: CWE-416 > > Use-after-free in io_uring session shutdown path. A local user can > crash the FUSE daemon or potentially execute arbitrary code. > > Advisory: > https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx > Fix: > https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836 > Credit: Abhinav Agarwal (reporter) > Remediation review: Akshat Sinha > > > CVE-2026-33179: NULL Pointer Dereference + Memory Leak > Severity: Moderate (CVSS 5.5) > CWE: CWE-476 > > Missing NULL checks and error-path cleanup in io_uring queue > initialization can crash the FUSE daemon on allocation failure > and leak NUMA memory. > > Advisory: > https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358 > Fix: > https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7 > Credit: Abhinav Agarwal (reporter) > Remediation review: Akshat Sinha > > > Both issues were reported privately to the libfuse maintainer > and fixed in a coordinated release. > > Timeline: > 2026-03-16 first issue reported libfuse maintainer > 2026-03-17 second issue reported libfuse maintainer > 2026-03-18 Release 3.18.2 with fixes > 2026-03-19 GHSA advisories published
