libfuse Use-After-Free Vulnerability in io_uring Subsystem Allows Crash and Potential Code Execution

A use-after-free vulnerability has been identified in the io_uring subsystem of libfuse, the reference implementation of Linux FUSE. This vulnerability affects libfuse versions 3.18.0 prior to 3.18.2. It allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. The issue arises when io_uring thread creation fails due to resource exhaustion, such as cgroup pids.max limits. In this scenario, the function fuse_uring_start() frees the ring pool structure but inadvertently stores a dangling pointer in the session state. When the session shuts down, this leads to a use-after-free condition. The vulnerability can be reliably triggered in containerized environments where cgroup pids.max limits constrain thread creation.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing any FUSE filesystem process that uses the io_uring transport. Additionally, it allows for potential code execution, as the freed memory can be reallocated with attacker-controlled content. During the session, the reallocated memory is accessed as struct fields, and the destructor executes free(), close(), and pthread_cancel() on these values, creating standard exploitation opportunities for code execution.

Remediation

Users can upgrade to libfuse version 3.18.2, where this vulnerability has been patched.