VYPR

apk package

chainguard/wizer

pkg:apk/chainguard/wizer

Vulnerabilities (24)

  • CVE-2026-47261HigJun 15, 2026
    affected < 11.0.3-r12fixed 11.0.3-r12

    Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path

  • CVE-2026-44216HigMay 14, 2026
    affected < 11.0.3-r12fixed 11.0.3-r12

    Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely larg

  • CVE-2026-35195MedApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through

  • CVE-2026-35186HigApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the opera

  • CVE-2026-34988MedApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation

  • CVE-2026-34987CriApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requir

  • CVE-2026-34971HigApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit

  • CVE-2026-34946HigApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on

  • CVE-2026-34945MedApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosi

  • CVE-2026-34944MedApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabl

  • CVE-2026-34943HigApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies

  • CVE-2026-34942MedApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned poin

  • CVE-2026-34941HigApr 9, 2026
    affected < 11.0.3-r10fixed 11.0.3-r10

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when perform

  • CVE-2026-27572Feb 24, 2026
    affected < 10.0.0-r7fixed 10.0.0-r7

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the

  • CVE-2026-27204Feb 24, 2026
    affected < 10.0.0-r7fixed 10.0.0-r7

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allo

  • CVE-2026-25541Feb 4, 2026
    affected < 10.0.0-r6fixed 10.0.0-r6

    Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe

  • CVE-2026-24116Jan 27, 2026
    affected < 10.0.0-r4fixed 10.0.0-r4

    Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signa

  • CVE-2025-64345LowNov 12, 2025
    affected < 10.0.0-r3fixed 10.0.0-r3

    Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the content

  • CVE-2025-53901Jul 18, 2025
    affected < 10.0.0-r2fixed 10.0.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op

  • CVE-2024-12224May 30, 2025
    affected < 7.0.5-r4fixed 7.0.5-r4

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

Page 1 of 2