VYPR

apk package

chainguard/yara-x

pkg:apk/chainguard/yara-x

Vulnerabilities (22)

  • CVE-2026-44216HigMay 14, 2026
    affected < 1.16.0-r1fixed 1.16.0-r1

    Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely larg

  • CVE-2026-35195MedApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through

  • CVE-2026-35186HigApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the opera

  • CVE-2026-34988MedApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation

  • CVE-2026-34987CriApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requir

  • CVE-2026-34971HigApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit

  • CVE-2026-34946HigApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on

  • CVE-2026-34945MedApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosi

  • CVE-2026-34944MedApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabl

  • CVE-2026-34943HigApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies

  • CVE-2026-34942MedApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned poin

  • CVE-2026-34941HigApr 9, 2026
    affected < 1.15.0-r2fixed 1.15.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when perform

  • CVE-2026-27572Feb 24, 2026
    affected < 1.13.0-r2fixed 1.13.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the

  • CVE-2026-27204Feb 24, 2026
    affected < 1.13.0-r2fixed 1.13.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allo

  • CVE-2026-27195Feb 24, 2026
    affected < 1.13.0-r2fixed 1.13.0-r2

    Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, tha

  • CVE-2026-25727Feb 6, 2026
    affected < 1.12.0-r3fixed 1.12.0-r3

    time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used

  • CVE-2026-24116Jan 27, 2026
    affected < 1.12.0-r1fixed 1.12.0-r1

    Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signa

  • CVE-2026-21895Jan 8, 2026
    affected < 1.10.0-r1fixed 1.10.0-r1

    The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.

  • CVE-2025-64345LowNov 12, 2025
    affected < 1.9.0-r2fixed 1.9.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the content

  • CVE-2025-53901Jul 18, 2025
    affected < 1.4.0-r2fixed 1.4.0-r2

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op

Page 1 of 2