apk package
wolfi/zellij
pkg:apk/wolfi/zellij
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27572 | — | < 0.44.0-r0 | 0.44.0-r0 | Feb 24, 2026 | Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the | ||
| CVE-2026-27204 | — | < 0.44.0-r0 | 0.44.0-r0 | Feb 24, 2026 | Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allo | ||
| CVE-2026-25727 | — | < 0.43.1-r6 | 0.43.1-r6 | Feb 6, 2026 | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used | ||
| CVE-2026-25541 | — | < 0.43.1-r5 | 0.43.1-r5 | Feb 4, 2026 | Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe | ||
| CVE-2026-24116 | — | < 0.44.0-r0 | 0.44.0-r0 | Jan 27, 2026 | Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signa | ||
| CVE-2025-64345 | Low | 1.8 | < 0.44.0-r0 | 0.44.0-r0 | Nov 12, 2025 | Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the content | |
| CVE-2025-53901 | — | < 0.44.0-r0 | 0.44.0-r0 | Jul 18, 2025 | Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op | ||
| CVE-2024-12224 | — | < 0.41.2-r2 | 0.41.2-r2 | May 30, 2025 | Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. | ||
| CVE-2024-51756 | Low | — | < 0.41.2-r1 | 0.41.2-r1 | Nov 5, 2024 | The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a | |
| CVE-2024-51745 | — | < 0 | 0 | Nov 5, 2024 | Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su | ||
| CVE-2024-43806 | Med | 6.5 | < 0.42.1-r0 | 0.42.1-r0 | Aug 26, 2024 | Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this c | |
| CVE-2024-38358 | Low | 2.9 | < 0.41.2-r0 | 0.41.2-r0 | Jun 19, 2024 | Wasmer is a web assembly (wasm) Runtime supporting WASIX, WASI and Emscripten. If the preopened directory has a symlink pointing outside, WASI programs can traverse the symlink and access host filesystem if the caller sets both `oflags::creat` and `rights::fd_write`. Programs can | |
| CVE-2024-27308 | — | < 0.41.2-r2 | 0.41.2-r2 | Mar 6, 2024 | Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. F | ||
| CVE-2023-26489 | — | < 0.41.2-r0 | 0.41.2-r0 | Mar 8, 2023 | wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective add | ||
| CVE-2020-26235 | — | < 0.41.2-r2 | 0.41.2-r2 | Nov 24, 2020 | In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. T |
- CVE-2026-27572Feb 24, 2026affected < 0.44.0-r0fixed 0.44.0-r0
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the
- CVE-2026-27204Feb 24, 2026affected < 0.44.0-r0fixed 0.44.0-r0
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allo
- CVE-2026-25727Feb 6, 2026affected < 0.43.1-r6fixed 0.43.1-r6
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used
- CVE-2026-25541Feb 4, 2026affected < 0.43.1-r5fixed 0.43.1-r5
Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe
- CVE-2026-24116Jan 27, 2026affected < 0.44.0-r0fixed 0.44.0-r0
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signa
- affected < 0.44.0-r0fixed 0.44.0-r0
Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the content
- CVE-2025-53901Jul 18, 2025affected < 0.44.0-r0fixed 0.44.0-r0
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op
- CVE-2024-12224May 30, 2025affected < 0.41.2-r2fixed 0.41.2-r2
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
- affected < 0.41.2-r1fixed 0.41.2-r1
The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a
- CVE-2024-51745Nov 5, 2024affected < 0fixed 0
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su
- affected < 0.42.1-r0fixed 0.42.1-r0
Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this c
- affected < 0.41.2-r0fixed 0.41.2-r0
Wasmer is a web assembly (wasm) Runtime supporting WASIX, WASI and Emscripten. If the preopened directory has a symlink pointing outside, WASI programs can traverse the symlink and access host filesystem if the caller sets both `oflags::creat` and `rights::fd_write`. Programs can
- CVE-2024-27308Mar 6, 2024affected < 0.41.2-r2fixed 0.41.2-r2
Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. F
- CVE-2023-26489Mar 8, 2023affected < 0.41.2-r0fixed 0.41.2-r0
wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective add
- CVE-2020-26235Nov 24, 2020affected < 0.41.2-r2fixed 0.41.2-r2
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. T