Multiple vulnerabilities in FUSE, including a use-after-free and a NULL pointer dereference, can lead to denial of service or code execution. The most severe issue, CVE-2026-33150, has a CVSS score of 7.8 (High). Affected versions are libfuse 3.18.0 up to, but not including, 3.18.2, and users must upgrade to version 3.18.2 to remediate; no workaround is currently available.
Multiple vulnerabilities have been found in FUSE, the worst of which can lead to code execution. Affected packages Package sys-fs/fuse on all architectures Affected versions < 3.18.1 Unaffected versions >= 3.18.1 Background FUSE (Filesystem in Userspace) is an interface for userspace programs to export a filesystem to the Linux kernel. Description The following vulnerabilities have been discovered in FUSE: a NULL pointer dereference (when running with the NUMA architecture) and a use-after-free. The worst of which can lead to code execution. Please review the CVE identifiers referenced below for details. Impact The following is a possible outcome: denial of service (crash) and potential code execution. Workaround There is no known workaround at this time. Resolution All FUSE users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-fs/fuse-3.18.1:3" References CVE-2026-33150 CVE-2026-33179 Release date April 17, 2026 Latest revision April 17, 2026: 1 Severity normal Exploitable remote Bugzilla entries 971552