Skip to content

Commit 07edbb6

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-hx6p-xpx3-jvvv GHSA-jhxm-h53p-jm7w GHSA-jxhv-7h78-9775 GHSA-m758-wjhj-p3jq GHSA-m9w2-8782-2946 GHSA-q49f-xg75-m9xw GHSA-qqfj-4vcm-26hv
1 parent 5cbf981 commit 07edbb6

7 files changed

Lines changed: 763 additions & 0 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-hx6p-xpx3-jvvv/GHSA-hx6p-xpx3-jvvv.json

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-hx6p-xpx3-jvvv",
4+
"modified": "2026-04-09T20:22:08Z",
5+
"published": "2026-04-09T20:22:08Z",
6+
"aliases": [
7+
"CVE-2026-34941"
8+
],
9+
"summary": "Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding",
10+
"details": "### Summary\n\nWasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units.\n\nThis vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond the end of linear memory may be read and interpreted as UTF-16.\n\nA host segfault is a denial-of-service vulnerability in Wasmtime, and possibly being able to read beyond the end of linear memory is additionally a vulnerability. Note that reading beyond the end of linear memory requires nonstandard configuration of Wasmtime, specifically with guard pages disabled.\n\n### Impact\n\nThis is an out-of-bounds memory access. Any user running untrusted wasm components that use cross-component string passing (with UTF-16 source and latin1+utf16 destination encodings) is affected.\n\n- With guard pages: Denial of service. The host process crashes with SIGBUS/SIGSEGV.\n- Without guard pages: Potential information disclosure. The guest can read host memory beyond its linear memory allocation.\n\nPatches\n\nWasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\nWorkarounds\n\nThere is no workaround for this bug. Hosts are recommended to updated to a patched version of Wasmtime.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "wasmtime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "24.0.7"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "crates.io",
40+
"name": "wasmtime"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "25.0.0"
48+
},
49+
{
50+
"fixed": "36.0.7"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "crates.io",
59+
"name": "wasmtime"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "37.0.0"
67+
},
68+
{
69+
"fixed": "42.0.2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "crates.io",
78+
"name": "wasmtime"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "43.0.0"
86+
},
87+
{
88+
"fixed": "43.0.1"
89+
}
90+
]
91+
}
92+
],
93+
"versions": [
94+
"43.0.0"
95+
]
96+
}
97+
],
98+
"references": [
99+
{
100+
"type": "WEB",
101+
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv"
102+
},
103+
{
104+
"type": "PACKAGE",
105+
"url": "https://github.com/bytecodealliance/wasmtime"
106+
}
107+
],
108+
"database_specific": {
109+
"cwe_ids": [
110+
"CWE-125"
111+
],
112+
"severity": "MODERATE",
113+
"github_reviewed": true,
114+
"github_reviewed_at": "2026-04-09T20:22:08Z",
115+
"nvd_published_at": null
116+
}
117+
}

advisories/github-reviewed/2026/04/GHSA-jhxm-h53p-jm7w/GHSA-jhxm-h53p-jm7w.json

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-jhxm-h53p-jm7w",
4+
"modified": "2026-04-09T20:23:26Z",
5+
"published": "2026-04-09T20:23:26Z",
6+
"aliases": [
7+
"CVE-2026-34971"
8+
],
9+
"summary": "Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift",
10+
"details": "### Impact\n\nWasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbitrary host memory.\n\nThis vulnerability has a few ingredients, all of which must be met, for this situation to occur and bypass the sandbox restrictions:\n\n* This miscompiled shape of load only occurs on 64-bit WebAssembly linear memories, or when `Config::wasm_memory64` is enabled. 32-bit WebAssembly is not affected.\n* Spectre mitigations or signals-based-traps must be disabled. When spectre mitigations are enabled then the offending shape of load is not generated. When signals-based-traps are disabled then spectre mitigations are also automatically disabled.\n\nThe specific bug in Cranelift is a miscompile of a load of the shape `load(iadd(base, ishl(index, amt)))` where `amt` is a constant. The `amt` value is masked incorrectly to test if it's a certain value, and this incorrect mask means that Cranelift can pattern-match this lowering rule during instruction selection erroneously, diverging from WebAssembly's and Cranelift's semantics. This incorrect lowering would, for example, load an address much further away than intended as the correct address's computation would have wrapped around to a smaller value insetad.\n\n\n\n### Patches\n\nWasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nThis bug only affects users of Cranelift on aarch64. Cranelift on other platforms is not affected. Additionally this only affects 64-bit WebAssembly linear memories, so if `Config::wasm_memory64` is disabled then hosts are not affected. Note that `Config::wasm_memory64` is enabled by default. If spectre mitigations are enabled, which are enabled by default, then hosts are not affected by this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "wasmtime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "32.0.0"
29+
},
30+
{
31+
"fixed": "36.0.7"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "crates.io",
40+
"name": "wasmtime"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "37.0.0"
48+
},
49+
{
50+
"fixed": "42.0.2"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "crates.io",
59+
"name": "wasmtime"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "43.0.0"
67+
},
68+
{
69+
"fixed": "43.0.1"
70+
}
71+
]
72+
}
73+
],
74+
"versions": [
75+
"43.0.0"
76+
]
77+
}
78+
],
79+
"references": [
80+
{
81+
"type": "WEB",
82+
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w"
83+
},
84+
{
85+
"type": "PACKAGE",
86+
"url": "https://github.com/bytecodealliance/wasmtime"
87+
}
88+
],
89+
"database_specific": {
90+
"cwe_ids": [
91+
"CWE-125",
92+
"CWE-787"
93+
],
94+
"severity": "CRITICAL",
95+
"github_reviewed": true,
96+
"github_reviewed_at": "2026-04-09T20:23:26Z",
97+
"nvd_published_at": null
98+
}
99+
}

advisories/github-reviewed/2026/04/GHSA-jxhv-7h78-9775/GHSA-jxhv-7h78-9775.json

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-jxhv-7h78-9775",
4+
"modified": "2026-04-09T20:22:12Z",
5+
"published": "2026-04-09T20:22:12Z",
6+
"aliases": [
7+
"CVE-2026-34942"
8+
],
9+
"summary": "Wasmtime: Panic when transcoding misaligned utf-16 strings",
10+
"details": "### Impact\n\nWasmtime's implementation of transcoding strings into the Component Model's `utf16` or `latin1+utf16` encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. \n\nHost panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation.\n\n### Patches\n\nWasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nThere is no workaround for this bug. Hosts are recommended to updated to a patched version of Wasmtime.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "wasmtime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "24.0.7"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "crates.io",
40+
"name": "wasmtime"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "25.0.0"
48+
},
49+
{
50+
"fixed": "36.0.7"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "crates.io",
59+
"name": "wasmtime"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "37.0.0"
67+
},
68+
{
69+
"fixed": "42.0.2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "crates.io",
78+
"name": "wasmtime"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "43.0.0"
86+
},
87+
{
88+
"fixed": "43.0.1"
89+
}
90+
]
91+
}
92+
],
93+
"versions": [
94+
"43.0.0"
95+
]
96+
}
97+
],
98+
"references": [
99+
{
100+
"type": "WEB",
101+
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775"
102+
},
103+
{
104+
"type": "PACKAGE",
105+
"url": "https://github.com/bytecodealliance/wasmtime"
106+
}
107+
],
108+
"database_specific": {
109+
"cwe_ids": [
110+
"CWE-119"
111+
],
112+
"severity": "MODERATE",
113+
"github_reviewed": true,
114+
"github_reviewed_at": "2026-04-09T20:22:12Z",
115+
"nvd_published_at": null
116+
}
117+
}

0 commit comments

Comments
 (0)