-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| fuser | rust | < 0.16.0 | 0.16.0 |
RustRustMiggo AIRoot Cause AnalysisThe vulnerability lies in the incorrect invocation of the fuse_session_new C function from the libfuse library within the fuser Rust crate. The analysis of the provided patch in pull request #390 clearly shows the fix. The commit 8daba15728da46d9299a2b23daa3aeb9954e114e modifies src/mnt/fuse3.rs inside the Mount::new function. The vulnerable line let fuse_session = unsafe { fuse_session_new(args, ptr::null(), 0, ptr::null_mut()) }; is replaced with code that correctly initializes a fuse_lowlevel_ops struct and passes a pointer to it to fuse_session_new. This directly addresses the vulnerability described, which is an uninitialized memory read due to the null pointer argument. Therefore, the fuser::mnt::fuse3::Mount::new function is the vulnerable function as it is the one that performs the unsafe and incorrect call.
Ongoing coverage of React2Shell