Bug 2451602 - CVE-2026-33150 fuse-sshfs: libfuse: Arbitrary code execution via use-after-free in io_uring subsystem [epel-all]
Summary: CVE-2026-33150 fuse-sshfs: libfuse: Arbitrary code execution via use-after-fr...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fuse-sshfs
Version: epel10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Peter Lemenkov
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["2fe31034-1ba2-4171-87ed-c...
: 2451604 (view as bug list)
Depends On:
Blocks: CVE-2026-33150
TreeView+ depends on / blocked
 
Reported: 2026-03-26 05:39 UTC by Avinash Hanwate
Modified: 2026-03-26 10:40 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-03-26 10:40:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Avinash Hanwate 2026-03-26 05:39:18 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Peter Lemenkov 2026-03-26 10:34:35 UTC
*** Bug 2451604 has been marked as a duplicate of this bug. ***

Comment 2 Peter Lemenkov 2026-03-26 10:40:52 UTC
These CVEs affect libfuse3's io_uring subsystem, which was introduced in fuse3 3.18.0 and fixed in 3.18.2. fuse-sshfs itself is not vulnerable — it merely links against libfuse3 at runtime.

fuse3 is not available in EPEL, so there is nothing to fix here. EPEL ships fuse-sshfs linked against the base OS fuse3 package, which is an older version (pre-3.18.0) that does not include the io_uring subsystem and is therefore not affected.


Note You need to log in before you can comment on or make changes to this bug.