apk package
chainguard/wash
pkg:apk/chainguard/wash
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-31812 | Hig | — | < 0.39.0-r9 | 0.39.0-r9 | Mar 10, 2026 | Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malf | |
| CVE-2026-25727 | — | < 0.39.0-r7 | 0.39.0-r7 | Feb 6, 2026 | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used | ||
| CVE-2026-25541 | — | < 0.39.0-r6 | 0.39.0-r6 | Feb 4, 2026 | Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe | ||
| CVE-2025-58160 | Low | — | < 0.39.0-r5 | 0.39.0-r5 | Aug 29, 2025 | tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i | |
| CVE-2024-58262 | — | < 0.30.0-r0 | 0.30.0-r0 | Jul 27, 2025 | The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM. | ||
| CVE-2024-12224 | — | < 0.38.0-r0 | 0.38.0-r0 | May 30, 2025 | Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. | ||
| CVE-2025-4432 | Med | 5.3 | < 0.39.0-r1 | 0.39.0-r1 | May 9, 2025 | A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets | |
| CVE-2024-51756 | Low | — | < 0.36.1-r2 | 0.36.1-r2 | Nov 5, 2024 | The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a | |
| CVE-2024-51745 | — | < 0.36.1-r2 | 0.36.1-r2 | Nov 5, 2024 | Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su | ||
| CVE-2024-47813 | — | < 0.34.1-r2 | 0.34.1-r2 | Oct 9, 2024 | Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi | ||
| CVE-2024-47763 | — | < 0.34.1-r2 | 0.34.1-r2 | Oct 9, 2024 | Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or | ||
| CVE-2024-47609 | Med | — | < 0.39.0-r1 | 0.39.0-r1 | Oct 1, 2024 | Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out | |
| CVE-2024-45311 | — | < 0.32.1-r1 | 0.32.1-r1 | Sep 2, 2024 | Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exp |
- affected < 0.39.0-r9fixed 0.39.0-r9
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malf
- CVE-2026-25727Feb 6, 2026affected < 0.39.0-r7fixed 0.39.0-r7
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used
- CVE-2026-25541Feb 4, 2026affected < 0.39.0-r6fixed 0.39.0-r6
Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe
- affected < 0.39.0-r5fixed 0.39.0-r5
tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i
- CVE-2024-58262Jul 27, 2025affected < 0.30.0-r0fixed 0.30.0-r0
The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.
- CVE-2024-12224May 30, 2025affected < 0.38.0-r0fixed 0.38.0-r0
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
- affected < 0.39.0-r1fixed 0.39.0-r1
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets
- affected < 0.36.1-r2fixed 0.36.1-r2
The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a
- CVE-2024-51745Nov 5, 2024affected < 0.36.1-r2fixed 0.36.1-r2
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su
- CVE-2024-47813Oct 9, 2024affected < 0.34.1-r2fixed 0.34.1-r2
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi
- CVE-2024-47763Oct 9, 2024affected < 0.34.1-r2fixed 0.34.1-r2
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or
- affected < 0.39.0-r1fixed 0.39.0-r1
Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out
- CVE-2024-45311Sep 2, 2024affected < 0.32.1-r1fixed 0.32.1-r1
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exp