GHSA-cvmj-47v9-35m9: 
Rust vulnerability analysis and mitigation

The fuser crate, a Rust implementation of FUSE (Filesystem in Userspace), was found to contain a vulnerability related to uninitialized memory read and leak. The issue was discovered in September 2025 and affects versions prior to 0.16.0. The vulnerability occurs during the creation of a new libfuse session where the operation list was incorrectly passed as NULL, while libfuse expects this argument to always point to a list of operations (GitHub Advisory, RustSec Advisory).

The vulnerability is tracked as GHSA-cvmj-47v9-35m9 and has been assigned a high severity rating with a CVSS score of 8.2. The issue specifically occurs in the fuser::Session::new function when calling fusesessionnew, where the operation list parameter was incorrectly passed as NULL. This implementation error violates libfuse's expectation that the argument should always point to a valid list of operations. The vulnerability is classified under CWE-908 (Use of Uninitialized Resource) (GitHub Advisory).

The vulnerability results in uninitialized memory read and memory leaks in libfuse.so. This primarily affects the availability of the system, as indicated by the CVSS metrics showing high availability impact while confidentiality and integrity remain unaffected (GitHub Advisory).

The vulnerability has been patched in version 0.16.0 of the fuser crate. As a workaround before updating, users can avoid enabling the 'libfuse' feature as the issue only occurs when this feature is enabled (GitHub PR).

The vulnerability was initially discovered through a project dependency check and was promptly addressed by the maintainers. The community actively participated in the resolution process, with multiple projects and developers being notified through cargo-deny. A parallel fix was also proposed in the libfuse project to make passing NULL operations acceptable (GitHub PR).