Skip to content

Commit e21d443

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-394w-hwhg-8vgm GHSA-6wgr-89rj-399p GHSA-hfr4-7c6c-48w2
1 parent 07edbb6 commit e21d443

File tree

3 files changed

+275
-0
lines changed

3 files changed

+275
-0
lines changed

advisories/github-reviewed/2026/04/GHSA-394w-hwhg-8vgm/GHSA-394w-hwhg-8vgm.json

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-394w-hwhg-8vgm",
4+
"modified": "2026-04-09T20:24:12Z",
5+
"published": "2026-04-09T20:24:12Z",
6+
"aliases": [
7+
"CVE-2026-35195"
8+
],
9+
"summary": "Wasmtime has out-of-bounds write or crash when transcoding component model strings",
10+
"details": "### Impact\n\nWasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's `realloc` is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration.\n\nWasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest's linear memory, such as host data structures or other guests's linear memories. \n\n### Patches\n\nWasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nThere is no known workaround for this issue and affected hosts/embeddings are recommended to upgrade.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "wasmtime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "24.0.7"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "crates.io",
40+
"name": "wasmtime"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "25.0.0"
48+
},
49+
{
50+
"fixed": "36.0.7"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "crates.io",
59+
"name": "wasmtime"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "37.0.0"
67+
},
68+
{
69+
"fixed": "42.0.2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "crates.io",
78+
"name": "wasmtime"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "43.0.0"
86+
},
87+
{
88+
"fixed": "43.0.1"
89+
}
90+
]
91+
}
92+
],
93+
"versions": [
94+
"43.0.0"
95+
]
96+
}
97+
],
98+
"references": [
99+
{
100+
"type": "WEB",
101+
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm"
102+
},
103+
{
104+
"type": "PACKAGE",
105+
"url": "https://github.com/bytecodealliance/wasmtime"
106+
}
107+
],
108+
"database_specific": {
109+
"cwe_ids": [
110+
"CWE-787"
111+
],
112+
"severity": "MODERATE",
113+
"github_reviewed": true,
114+
"github_reviewed_at": "2026-04-09T20:24:12Z",
115+
"nvd_published_at": null
116+
}
117+
}

advisories/github-reviewed/2026/04/GHSA-6wgr-89rj-399p/GHSA-6wgr-89rj-399p.json

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6wgr-89rj-399p",
4+
"modified": "2026-04-09T20:23:58Z",
5+
"published": "2026-04-09T20:23:58Z",
6+
"aliases": [
7+
"CVE-2026-34988"
8+
],
9+
"summary": "Wasmtime has data leakage between pooling allocator instances",
10+
"details": "### Impact\n\nWasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the pooling allocator incorrectly deduced at runtime that resetting virtual memory permissions was not necessary while compile-time determine that virtual memory could be relied upon.\n\nExposing this bug requires specific configuration values to be used. If any of these configurations are not applicable then this bug does not happen:\n\n* The pooling allocator must be in use.\n* The `Config::memory_guard_size` configuration option must be 0.\n* The `Config::memory_reservation` configuration must be less than 4GiB.\n* The pooling allocator must be configured with `max_memory_size` the same as the `memory_reservation` value.\n\nIf all of these conditions are applicable then when a linear memory is reused the VM permissions of the previous iteration are not reset. This means that the compiled code, which is assuming out-of-bounds loads will segfault, will not actually segfault and can read the previous contents of linear memory if it was previously mapped.\n\nThis represents a data leakage vulnerability between guest WebAssembly instances which breaks WebAssembly's semantics and additionally breaks the sandbox that Wasmtime provides. Wasmtime is not vulnerable to this issue with its default settings, nor with the default settings of the pooling allocator, but embeddings are still allowed to configure these values to cause this vulnerability.\n\n### Patches\n\nWasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nAll four conditions above must be met to be vulnerable to this bug, and users can work around this bug by adjusting any of the above conditions. For example it is strongly recommended that guard pages are configured for linear memories which would make this bug not applicable.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "wasmtime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "28.0.0"
29+
},
30+
{
31+
"fixed": "36.0.7"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "crates.io",
40+
"name": "wasmtime"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "37.0.0"
48+
},
49+
{
50+
"fixed": "42.0.2"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "crates.io",
59+
"name": "wasmtime"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "43.0.0"
67+
},
68+
{
69+
"fixed": "43.0.1"
70+
}
71+
]
72+
}
73+
],
74+
"versions": [
75+
"43.0.0"
76+
]
77+
}
78+
],
79+
"references": [
80+
{
81+
"type": "WEB",
82+
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p"
83+
},
84+
{
85+
"type": "PACKAGE",
86+
"url": "https://github.com/bytecodealliance/wasmtime"
87+
}
88+
],
89+
"database_specific": {
90+
"cwe_ids": [
91+
"CWE-119"
92+
],
93+
"severity": "LOW",
94+
"github_reviewed": true,
95+
"github_reviewed_at": "2026-04-09T20:23:58Z",
96+
"nvd_published_at": null
97+
}
98+
}

advisories/github-reviewed/2026/04/GHSA-hfr4-7c6c-48w2/GHSA-hfr4-7c6c-48w2.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-hfr4-7c6c-48w2",
4+
"modified": "2026-04-09T20:23:44Z",
5+
"published": "2026-04-09T20:23:44Z",
6+
"aliases": [
7+
"CVE-2026-34983"
8+
],
9+
"summary": "Wasmtime has use-after-free bug after cloning `wasmtime::Linker`",
10+
"details": "### Impact\n\nIn version 43.0.0 of the `wasmtime` crate, cloning a `wasmtime::Linker` is unsound and can result in use-after-free bugs.\n\nThis bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host.\n\nThe typical symptom of this use-after-free bug is a segfault. It does not enable heap corruption or data leakage.\n\nIf you are using the `wasmtime` CLI, rather than the embedding API, you are not affected. If you are using the embedding API but are not calling `wasmtime::Linker`'s `Clone` implementation, you are not affected.\n\nSpecifically, the following steps must occur to trigger the bug:\n\n* Clone a `wasmtime::Linker`\n* Drop the original linker instance\n* Use the new, cloned linker instance, resulting in a use-after-free\n\n### Patches\n\nThis bug has been patched in Wasmtime version 43.0.1\n\n### Workarounds\n\nWasmtime embedders are highly encouraged to upgrade their `wasmtime` crate dependency.\n\nIf upgrading is not an option, or as a temporary workaround before upgrading, you can avoid this bug by not cloning `wasmtime::Linker` and instead creating a new, empty `wasmtime::Linker` and manually reregistering the host APIs from the original linker:\n\n```rust\nuse wasmtime::{Linker, Result, Store};\n\nfn clone_linker<T>(linker: &Linker<T>, store: &mut Store<T>) -> Result<Linker<T>> {\n let mut cloned = Linker::new();\n for (module, name, item) in linker.iter(store) {\n cloned.define(module, name, item)?;\n }\n Ok(cloned)\n}\n```\n\n### References\n\nThis bug was introduced during an internal refactoring that was part of our efforts to [robustly handle allocation failure in Wasmtime](https://github.com/bytecodealliance/wasmtime/issues/12069). This refactoring introduced an string-interning pool which had an unsound `TryClone`[^try-clone] implementation.\n\n[^try-clone]: [The `TryClone` trait](https://github.com/bytecodealliance/wasmtime/blob/33e8b3d955697587b23cf39d87fbcbdb4d26b0c9/crates/core/src/alloc/try_clone.rs#L5-L17) is our version of the Rust standard library's `Clone` trait that allows for returning `OutOfMemory` errors.\n\n* The `StringPool` was introduced in https://github.com/bytecodealliance/wasmtime/pull/12536, at which time the bug in `TryClone for StringPool` was already present, although this code path was not yet used anywhere.\n* `wasmtime::Linker` was refactored to internally use `StringPool` in https://github.com/bytecodealliance/wasmtime/pull/12537, at which time the buggy code path became accessible.\n* This bug was originally reported to the Wasmtime maintainers as https://github.com/bytecodealliance/wasmtime/pull/12906",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "wasmtime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "43.0.0"
29+
},
30+
{
31+
"fixed": "43.0.1"
32+
}
33+
]
34+
}
35+
],
36+
"versions": [
37+
"43.0.0"
38+
]
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/bytecodealliance/wasmtime"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-416"
54+
],
55+
"severity": "LOW",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-04-09T20:23:44Z",
58+
"nvd_published_at": null
59+
}
60+
}

0 commit comments

Comments
 (0)