GHSA-cvmj-47v9-35m9: FUSE-Rust: Uninitalized memory read and leak caused by fuser crate

September 15, 2025 (updated November 10, 2025)

During the creation of a new libfuse session with fuse_session_new, the operation list was passed as NULL incorrectly. libfuse expects this argument to always point to list of operations. This caused uninitialized memory read and leaks in libfuse.so.

References

github.com/advisories/GHSA-cvmj-47v9-35m9
github.com/cberner/fuser
github.com/cberner/fuser/pull/390
rustsec.org/advisories/RUSTSEC-2021-0154.html

Code Behaviors & Features

Detect and mitigate GHSA-cvmj-47v9-35m9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →