RUSTSEC-2021-0154

Uninitalized memory read & leak caused by fuser crate

Reported

September 10, 2021

Issued

September 12, 2025 (last modified: October 28, 2025)

Package

fuser (crates.io)

Type

INFO Unsound

Categories

code-execution

Keywords

#fuse

Aliases

GHSA-cvmj-47v9-35m9

References

https://github.com/cberner/fuser/pull/390
https://github.com/libfuse/libfuse/pull/1330

Patched

>=0.16.0

Affected Functions

Version

fuser::Session::new

>=0.5.0

Description

During creation of new libfuse session with fuse_session_new operation list was passed as NULL incorrectly. libfuse expects this argument to always point to list of operations. This caused uninitialized memory read and leaks in libfuse.so

Advisory available under CC0-1.0 license.