CWE-758
Allowed-with-ReviewReliance on Undefined, Unspecified, or Implementation-Defined Behavior
Abstraction: Class · Status: Incomplete
The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
33 vulnerabilities reference this CWE, most recent first.
CVE-2023-30624 (GCVE-0-2023-30624)
Vulnerability from cvelistv5 – Published: 2023-04-27 16:56 – Updated: 2025-01-30 19:33- CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasmtime/secu… | x_refsource_CONFIRM |
| https://github.com/bytecodealliance/wasmtime/comm… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasmtime |
Affected:
< 6.0.2
Affected: = 7.0.0 Affected: = 8.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:52.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7"
},
{
"name": "https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T19:33:26.754522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T19:33:32.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wasmtime",
"vendor": "bytecodealliance",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.2"
},
{
"status": "affected",
"version": "= 7.0.0"
},
{
"status": "affected",
"version": "= 8.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime\u0027s implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues.\n\nThe underlying problem is that Wasmtime\u0027s runtime state for an instance involves a Rust-defined structure called `Instance` which has a trailing `VMContext` structure after it. This `VMContext` structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so `unsafe` code is required to maintain this state. The code doing this, however, has methods which take `\u0026self` as an argument but modify data in the `VMContext` part of the allocation. This means that pointers derived from `\u0026self` are mutated. This is typically not allowed, except in the presence of `UnsafeCell`, in Rust. When compiled to LLVM these functions have `noalias readonly` parameters which means it\u0027s UB to write through the pointers.\n\nWasmtime\u0027s internal representation and management of `VMContext` has been updated to use `\u0026mut self` methods where appropriate. Additionally verification tools for `unsafe` code in Rust, such as `cargo miri`, are planned to be executed on the `main` branch soon to fix any Rust-level issues that may be exploited in future compiler versions.\n\nPrecomplied binaries available for Wasmtime from GitHub releases have been compiled with at most LLVM 15 so are not known to be vulnerable. As mentioned above, however, it\u0027s still recommended to update.\n\nWasmtime version 6.0.2, 7.0.1, and 8.0.1 have been issued which contain the patch necessary to work correctly on LLVM 16 and have no known UB on LLVM 15 and earlier. If Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues. There is a theoretical possibility for undefined behavior to exploited, however, so it\u0027s recommended that users upgrade to a patched version of Wasmtime. Users using beta Rust (1.70 at this time) or nightly Rust (1.71 at this time) must update to a patched version to work correctly."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-758",
"description": "CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-27T16:56:49.971Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7"
},
{
"name": "https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e"
}
],
"source": {
"advisory": "GHSA-ch89-5g45-qwc7",
"discovery": "UNKNOWN"
},
"title": "Wasmtime has Undefined Behavior in Rust runtime functions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30624",
"datePublished": "2023-04-27T16:56:49.971Z",
"dateReserved": "2023-04-13T13:25:18.833Z",
"dateUpdated": "2025-01-30T19:33:32.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-3288-P39F-RQPV
Vulnerability from github – Published: 2026-02-19 15:17 – Updated: 2026-02-19 15:17Summary
The asm! block enabled by the off-by-default asm feature, when enabled on ARMv8 targets, misspecified the operand
type for all of its operands, using in for pointers and values which were subsequently mutated by operations performed
within the assembly block.
Impact
It's unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined behavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still exists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.
Mitigation
The operand types were changed from in to inout, and the impacted versions of the keccak crate were yanked.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "keccak"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-19T15:17:41Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nThe `asm!` block enabled by the off-by-default `asm` feature, when enabled on ARMv8 targets, misspecified the operand\ntype for all of its operands, using `in` for pointers and values which were subsequently mutated by operations performed\nwithin the assembly block.\n\n### Impact\n\nIt\u0027s unclear what practical impact, if any, this actually had. Incorrect operand types are technically undefined\nbehavior, however changing them had no actual impact on the generated assembly for these targets. The possibility still\nexists that it may lead to potential memory safety or other issues on hypothetical future versions of rustc.\n\n### Mitigation\n\nThe operand types were changed from `in` to `inout`, and the impacted versions of the `keccak` crate were yanked.",
"id": "GHSA-3288-p39f-rqpv",
"modified": "2026-02-19T15:17:41Z",
"published": "2026-02-19T15:17:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/RustCrypto/sponges/pull/101"
},
{
"type": "WEB",
"url": "https://github.com/RustCrypto/sponges/commit/7ac1920198ebb7d0192e6d2c3581e15b38a6e0e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/RustCrypto/sponges"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Unsoundness in opt-in ARMv8 assembly backend for `keccak`"
}
GHSA-36CP-X9PQ-R87W
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2025-01-22 18:31The ShmemCharMapHashEntry() code was susceptible to potentially undefined behavior by bypassing the move semantics for one of its data members. This vulnerability affects Firefox < 126.
{
"affected": [],
"aliases": [
"CVE-2024-4774"
],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T18:15:15Z",
"severity": "MODERATE"
},
"details": "The `ShmemCharMapHashEntry()` code was susceptible to potentially undefined behavior by bypassing the move semantics for one of its data members. This vulnerability affects Firefox \u003c 126.",
"id": "GHSA-36cp-x9pq-r87w",
"modified": "2025-01-22T18:31:51Z",
"published": "2024-05-14T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4774"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1886598"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3RJW-M598-PQ24
Vulnerability from github – Published: 2026-07-02 17:18 – Updated: 2026-07-02 17:18Summary
The aarch64 implementations of Cmov and CmovEq seem to assume that the high bits when loading a value of size smaller than a register into a register are zero-extended. However, this is not the case and these bits are unspecified. This can result in a left.cmovz(&right, condition) not moving right into left, even if condition == 0.
Details
The Rust reference for inline assembly states that:
If a value is of a smaller size than the register it is allocated in then the upper bits of that register will have an undefined value for inputs [..]. Reference
If the high bits [8..] of the selector loaded into a register in the Cmov implementation or the high bits [16..] of self or other for CmovEq (specifically the implementation for u16 and i16) are set, the inline asm compares will produce a different result than the Rust code expects based on the narrow types.
In other words, the following assert fails, even though condition as u8 is zero:
let condition: u32 = black_box(1 << 8);
let mut left = 1;
let right = 2;
left.cmovz(&right, condition as u8);
assert_eq!(left, right);
Because the ninth bit is set in the original variable, this bit is also set when the truncated condition is loaded into the input register for the cmp, causing the csel to select the wrong value.
The problematic code is located in cmov/src/backends/aarch64.rs here for Cmov and here for CmovEq.
The following function:
#[unsafe(no_mangle)]
pub fn cmovz_wrong_output(left: &mut i32, right: i32, condition: u32) {
left.cmovz(&right, condition as u8);
}
produces the assembly:
cmovz_wrong_output:
.cfi_startproc
ldr w8, [x0]
//APP
cmp w2, #0
csel w8, w1, w8, eq
//NO_APP
str w8, [x0]
ret
which compares the 32-bits of the condition value against 0, instead of the intended 8.
Similarly, the following function using cmoveq
#[unsafe(no_mangle)]
pub fn cmoveq_wrong_output(left: u32, right: u32, input: u8, output: &mut u8) {
(left as u16).cmoveq(&(right as u16), input, output);
}
compiles to:
cmoveq_wrong_output:
.cfi_startproc
ldrb w8, [x3]
and w9, w2, #0xff
//APP
eor w10, w0, w1
cmp w10, #0
csel w8, w9, w8, eq
//NO_APP
strb w8, [x3]
ret
where 32 bits of left and right are compared instead of 16. The same happens for i16.
For CmovEq, it seems the u8/i8 impls are not affected, as they are calling u16::from in the implementation which causes the upper bits to be masked out.
PoC
The following two test cases fail on aarch64-unknown-linux-gnu when compiled with --release (the cmovz one even in debug) emulated with qemu.
> rustc --version
rustc 1.94.0 (4a4ef493e 2026-03-02)
#[cfg(test)]
mod tests {
use core::hint::black_box;
use cmov::{Cmov, CmovEq};
#[test]
fn cmovz_wrong_output() {
// The black box is necessary here, as otherwise the compiler will
// provide a constant 0 to the csel
let condition: u32 = black_box(1 << 8);
let mut left = 1;
let right = 2;
// I added this debug_assert as a sanity check, but funnily it causes
// the wrong cmov behavior in debug as well (as opposed to only in release mode without the debug_assert)
debug_assert_eq!(0, condition as u8);
left.cmovz(&right, condition as u8);
assert_eq!(left, right);
}
#[test]
fn cmoveq_wrong_output() {
let input = 1;
let mut output = 0;
let left: u32 = black_box(1 << 16);
let right: u32 = black_box(1 << 17);
// asserting in release mode here would hide the bug, the debug_assert_eq is
// a sanity check that these values SHOULD be equal
debug_assert_eq!(left as u16, right as u16);
(left as u16).cmoveq(&(right as u16), input, &mut output);
assert_eq!(input, output);
}
}
Impact
Under specific circumstances, this issue can cause Cmov/CmovEq to produce incorrect output on aarch64. However, whether this bug can actually manifest depends on the surrounding code that calls the relevant impls. In the PoC, a narrowing cast is required, which masks out the set bits from Rust's point of view, but which are then used in the inline assembly.
Additional Finding
PR #1299 fixed a different bug in the aarch64 backend but introduced a small error. The csel! macro expect a cmp expression as its first argument which is never used. The compare is always "cmp {0:w}, 0", even for csel64!, which intends to use cmp {0:x}, 0. Given the bug described above, this oversight actually reduces its impact slightly, as only the bits in position[8..32] can cause issues, even for those impls that use csel64!.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "cmov"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.1"
},
{
"fixed": "0.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50185"
],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T17:18:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe aarch64 implementations of `Cmov` and `CmovEq` seem to assume that the high bits when loading a value of size smaller than a register into a register are zero-extended. However, this is not the case and these bits are unspecified. This can result in a `left.cmovz(\u0026right, condition)` not moving `right` into `left`, even if `condition == 0`. \n\n### Details\n\nThe Rust reference for inline assembly states that:\n\u003e If a value is of a smaller size than the register it is allocated in then the upper bits of that register will have an undefined value for inputs [..]. [Reference](https://doc.rust-lang.org/reference/inline-assembly.html#r-asm.register-operands.smaller-value)\n\nIf the high bits `[8..]` of the selector loaded into a register in the `Cmov` implementation or the high bits `[16..]` of `self` or `other` for CmovEq (specifically the implementation for `u16` and `i16`) are set, the inline asm compares will produce a different result than the Rust code expects based on the narrow types.\n\nIn other words, the following assert fails, even though `condition as u8` is zero:\n```rust\nlet condition: u32 = black_box(1 \u003c\u003c 8);\nlet mut left = 1;\nlet right = 2;\nleft.cmovz(\u0026right, condition as u8);\nassert_eq!(left, right);\n```\nBecause the ninth bit is set in the original variable, this bit is also set when the truncated condition is loaded into the input register for the `cmp`, causing the `csel` to select the wrong value.\n\nThe problematic code is located in `cmov/src/backends/aarch64.rs` [here for Cmov](https://github.com/RustCrypto/utils/blob/dad5e3b9e66d929e86144fe7c8f25371892e35f3/cmov/src/backends/aarch64.rs#L4-L19) and [here for CmovEq](https://github.com/RustCrypto/utils/blob/dad5e3b9e66d929e86144fe7c8f25371892e35f3/cmov/src/backends/aarch64.rs#L60-L72).\n\nThe following function:\n```rust\n#[unsafe(no_mangle)]\npub fn cmovz_wrong_output(left: \u0026mut i32, right: i32, condition: u32) {\n left.cmovz(\u0026right, condition as u8);\n}\n```\nproduces the assembly:\n```asm\ncmovz_wrong_output:\n\t.cfi_startproc\n\tldr w8, [x0]\n\t//APP\n\tcmp w2, #0\n\tcsel w8, w1, w8, eq\n\t//NO_APP\n\tstr w8, [x0]\n\tret\n```\n\nwhich compares the 32-bits of the condition value against 0, instead of the intended 8.\n\nSimilarly, the following function using `cmoveq`\n```rust\n#[unsafe(no_mangle)]\npub fn cmoveq_wrong_output(left: u32, right: u32, input: u8, output: \u0026mut u8) {\n (left as u16).cmoveq(\u0026(right as u16), input, output);\n}\n```\ncompiles to:\n```asm\ncmoveq_wrong_output:\n\t.cfi_startproc\n\tldrb w8, [x3]\n\tand w9, w2, #0xff\n\t//APP\n\teor w10, w0, w1\n\tcmp w10, #0\n\tcsel w8, w9, w8, eq\n\t//NO_APP\n\tstrb w8, [x3]\n\tret\n```\nwhere 32 bits of left and right are compared instead of 16. The same happens for `i16`.\n\nFor CmovEq, it seems the `u8/i8` impls are not affected, as they are calling `u16::from` in [the implementation](https://github.com/RustCrypto/utils/blob/dad5e3b9e66d929e86144fe7c8f25371892e35f3/cmov/src/lib.rs#L119) which causes the upper bits to be masked out.\n\n### PoC\n\nThe following two test cases fail on `aarch64-unknown-linux-gnu` when compiled with `--release` (the cmovz one even in debug) emulated with qemu.\n\n```\n\u003e rustc --version\nrustc 1.94.0 (4a4ef493e 2026-03-02)\n```\n\n```rust\n#[cfg(test)]\nmod tests {\n use core::hint::black_box;\n\n use cmov::{Cmov, CmovEq};\n\n #[test]\n fn cmovz_wrong_output() {\n // The black box is necessary here, as otherwise the compiler will \n // provide a constant 0 to the csel\n let condition: u32 = black_box(1 \u003c\u003c 8);\n let mut left = 1;\n let right = 2;\n // I added this debug_assert as a sanity check, but funnily it causes\n // the wrong cmov behavior in debug as well (as opposed to only in release mode without the debug_assert)\n debug_assert_eq!(0, condition as u8);\n left.cmovz(\u0026right, condition as u8);\n assert_eq!(left, right);\n }\n\n #[test]\n fn cmoveq_wrong_output() {\n let input = 1;\n let mut output = 0;\n let left: u32 = black_box(1 \u003c\u003c 16);\n let right: u32 = black_box(1 \u003c\u003c 17);\n // asserting in release mode here would hide the bug, the debug_assert_eq is\n // a sanity check that these values SHOULD be equal\n debug_assert_eq!(left as u16, right as u16);\n (left as u16).cmoveq(\u0026(right as u16), input, \u0026mut output);\n assert_eq!(input, output);\n }\n}\n```\n\n### Impact\n\nUnder specific circumstances, this issue can cause `Cmov/CmovEq` to produce incorrect output on `aarch64`. However, whether this bug can actually manifest depends on the surrounding code that calls the relevant impls. In the PoC, a narrowing cast is required, which masks out the set bits from Rust\u0027s point of view, but which are then used in the inline assembly. \n\n### Additional Finding\n\nPR [#1299](https://github.com/RustCrypto/utils/pull/1299) fixed a different bug in the aarch64 backend but introduced a small error. The `csel!` macro expect a `cmp` expression as its first argument which is never used. The compare is always `\"cmp {0:w}, 0\",` even for `csel64!`, which intends to use `cmp {0:x}, 0`. Given the bug described above, this oversight actually reduces its impact slightly, as only the bits in position`[8..32]` can cause issues, even for those impls that use `csel64!`.",
"id": "GHSA-3rjw-m598-pq24",
"modified": "2026-07-02T17:18:11Z",
"published": "2026-07-02T17:18:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/RustCrypto/utils/security/advisories/GHSA-3rjw-m598-pq24"
},
{
"type": "PACKAGE",
"url": "https://github.com/RustCrypto/utils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Cmov/CmovEq on aarch64 can produce wrong results if high-bits of registers are set "
}
GHSA-5W5R-MF82-595P
Vulnerability from github – Published: 2026-01-28 16:06 – Updated: 2026-01-28 16:06The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.
Reader::get
pub fn get(&self) -> Result<<T as Owned>::Reader<'static>> {
// ...
// UNSAFE: access `words` without validation
}
StructSchema::new
pub fn new(builder: RawBrandedStructSchema) -> StructSchema {
// ...
// UNSAFE: access encoded nodes without validation
}
This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.
The issue is resolved in version 0.24.0 by making constructor functions unsafe and mark the fields of struct as visible only in the crate.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "capnp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-28T16:06:09Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The safe API functions `constant::Reader::get` and `StructSchema::new` rely on `PointerReader::get_root_unchecked`, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.\n\n## `Reader::get`\n\n```rust\npub fn get(\u0026self) -\u003e Result\u003c\u003cT as Owned\u003e::Reader\u003c\u0027static\u003e\u003e {\n // ...\n // UNSAFE: access `words` without validation\n}\n```\n\n## `StructSchema::new`\n\n```rust\npub fn new(builder: RawBrandedStructSchema) -\u003e StructSchema {\n // ...\n // UNSAFE: access encoded nodes without validation\n}\n```\n\nThis vulnerability allows safe Rust code to trigger UB, which violates Rust\u0027s safety guarantees.\n\nThe issue is resolved in version `0.24.0` by making constructor functions unsafe and mark the fields of struct as visible only in the crate.",
"id": "GHSA-5w5r-mf82-595p",
"modified": "2026-01-28T16:06:09Z",
"published": "2026-01-28T16:06:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto-rust/issues/605"
},
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto-rust/commit/7b981f4c75a975c80444cd38729bcdf12bf3eabf"
},
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto-rust/commit/e3aeec213e6d1b30a182bf61682a370f20d8a02c"
},
{
"type": "PACKAGE",
"url": "https://github.com/capnproto/capnproto-rust"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0143.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Cap\u0027n Proto has Undefined Behavior in constant::Reader and StructSchema"
}
GHSA-6HGW-6X87-578X
Vulnerability from github – Published: 2025-08-25 16:23 – Updated: 2025-08-25 16:23Summary
- Target: ImageMagick (commit
ecc9a5eb456747374bae8e07038ba10b3d8821b3) - Type: Undefined Behavior (function-type-mismatch) in splay tree cloning callback
- Impact: Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact.
- Trigger: Minimal 2-byte input parsed via MagickWand, then coalescing.
Environment
OS: macOS (Apple Silicon/arm64)
Homebrew clang version 20.1.8
Target: arm64-apple-darwin24.5.0
Thread model: posix
InstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin
Configuration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg
Homebrew ImageMagick: magick -version → ImageMagick 7.1.2-0 Q16-HDRI aarch64
pkg-config: MagickWand-7.Q16HDRI version 7.1.2
Library configure flags (capsule build):
./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --without-xml --without-lqr --without-gslib
Harness compile flags:
-fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer
pkg-config cflags/libs supplied:
-I<...>/include/ImageMagick-7
-DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16 -DMAGICKCORE_CHANNEL_MASK_DEPTH=32
and linked against MagickWand-7.Q16HDRI and MagickCore-7.Q16HDRI
Sanitizer runtime:
ASan+UBSan defaults. Repro also with UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
PoC
- Bytes (hex):
1c 02 - Base64:
HAI= - sha256 (optional):
Reproduction
Create PoC:
printf '\x1c\x02' > poc.bin
Option A: libFuzzer harness
- Run once: ./harness_ImageMagick_... -runs=1 ./poc.bin
- Expected: UBSan aborts with function-type-mismatch at MagickCore/splay-tree.c:372:43.
Option B: standalone reproducer (C)
- Compile (ensure PKG_CONFIG_PATH points to your ImageMagick if needed):
/opt/homebrew/opt/llvm/bin/clang -g -O1 -fsanitize=address,undefined $(/opt/homebrew/bin/pkg-config --cflags MagickWand-7.Q16HDRI) repro.c -o repro $(/opt/homebrew/bin/pkg-config --libs MagickWand-7.Q16HDRI)
- Run:
UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 ./repro ./poc.bin Observed output (excerpt) MagickCore/splay-tree.c:372:43: runtime error: call to function ConstantString through pointer to incorrect function type 'void ()(void *)' string.c:680: note: ConstantString defined here
0 CloneSplayTree splay-tree.c:372
1 CloneImageProfiles profile.c:159
2 CloneImage image.c:832
3 CoalesceImages layer.c:269
4 MagickCoalesceImages magick-image.c:1665
5 main repro.c:XX
Root cause
The splay tree clone callback expects a function pointer of type void *(*)(void *). ConstantString has a different signature (char *ConstantString(const char *)). Calling through the mismatched function type is undefined behavior in C and triggers UBSan’s function-type-mismatch.
The path is exercised during coalescing: CloneImage → CloneImageProfiles → CloneSplayTree.
Scope
Reproduces with a minimal, sanitizer-instrumented, PNG-enabled build and delegates disabled (policy.xml), suggesting the issue is in MagickCore rather than external delegates.
Suggested fix (sketch)
Use a wrapper that matches the expected callback prototype, or adjust the splay-tree callback typedef for const-correctness. For example:
static void CloneStringShim(const void p) {
return (void ) ConstantString((const char ) p);
}
/ When setting splay-tree clone_value, use CloneStringShim instead of ConstantString. /
Alternatively, update the clone callback typedefs to use const void consistently (and return void) and ensure callers pass a correctly typed wrapper.
Artifacts
Minimised PoC: attached (poc.bin, 2 bytes; base64 HAI=)
Harness source and exact build command (attached)
Full UBSan trace (attached)
Commit SHA and configure flags (above)
Credits
Discovered by: Lumina Mescuwa
Method: libFuzzer + UBSan
Verification
- UBSan build: Reproduces with halt_on_error=1; aborts at MagickCore/splay-tree.c:372.
- Non-sanitized Homebrew build (macOS arm64, clang 20.1.8): No crash; repro completes silently.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55160"
],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T16:23:51Z",
"nvd_published_at": "2025-08-13T14:15:33Z",
"severity": "MODERATE"
},
"details": "## Summary\n- **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`)\n- **Type:** Undefined Behavior (function-type-mismatch) in splay tree cloning callback\n- **Impact:** Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact.\n- **Trigger:** Minimal **2-byte** input parsed via MagickWand, then coalescing.\n## Environment\nOS: macOS (Apple Silicon/arm64)\nHomebrew clang version 20.1.8\nTarget: arm64-apple-darwin24.5.0\nThread model: posix\nInstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin\nConfiguration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg\nHomebrew ImageMagick: `magick -version` \u2192 `ImageMagick 7.1.2-0 Q16-HDRI aarch64`\npkg-config: `MagickWand-7.Q16HDRI` version `7.1.2`\nLibrary configure flags (capsule build):\n./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --without-xml --without-lqr --without-gslib\nHarness compile flags:\n-fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer\npkg-config cflags/libs supplied:\n-I\u003c...\u003e/include/ImageMagick-7\n-DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16 -DMAGICKCORE_CHANNEL_MASK_DEPTH=32\nand linked against MagickWand-7.Q16HDRI and MagickCore-7.Q16HDRI\nSanitizer runtime:\nASan+UBSan defaults. Repro also with `UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1`\n## PoC\n- **Bytes (hex):** `1c 02`\n- **Base64:** `HAI=`\n - **sha256 (optional):** \u003cfill in\u003e\n## Reproduction\nCreate PoC:\n\n`printf \u0027\\x1c\\x02\u0027 \u003e poc.bin`\n\nOption A: libFuzzer harness\n- Run once: `./harness_ImageMagick_... -runs=1 ./poc.bin`\n- Expected: UBSan aborts with function-type-mismatch at `MagickCore/splay-tree.c:372:43`.\n\nOption B: standalone reproducer (C)\n- Compile (ensure `PKG_CONFIG_PATH` points to your ImageMagick if needed):\n\n/opt/homebrew/opt/llvm/bin/clang -g -O1 -fsanitize=address,undefined $(/opt/homebrew/bin/pkg-config --cflags MagickWand-7.Q16HDRI) repro.c -o repro $(/opt/homebrew/bin/pkg-config --libs MagickWand-7.Q16HDRI)\n\n- Run:\n\nUBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 ./repro ./poc.bin\nObserved output (excerpt)\nMagickCore/splay-tree.c:372:43: runtime error: call to function ConstantString through pointer to incorrect function type \u0027void *(*)(void *)\u0027\nstring.c:680: note: ConstantString defined here\n#0 CloneSplayTree splay-tree.c:372\n#1 CloneImageProfiles profile.c:159\n#2 CloneImage image.c:832\n#3 CoalesceImages layer.c:269\n#4 MagickCoalesceImages magick-image.c:1665\n#5 main repro.c:XX\nRoot cause\nThe splay tree clone callback expects a function pointer of type `void *(*)(void *)`. ConstantString has a different signature (`char *ConstantString(const char *)`). Calling through the mismatched function type is undefined behavior in C and triggers UBSan\u2019s function-type-mismatch.\nThe path is exercised during coalescing: CloneImage \u2192 CloneImageProfiles \u2192 CloneSplayTree.\nScope\nReproduces with a minimal, sanitizer-instrumented, PNG-enabled build and delegates disabled (policy.xml), suggesting the issue is in MagickCore rather than external delegates.\nSuggested fix (sketch)\nUse a wrapper that matches the expected callback prototype, or adjust the splay-tree callback typedef for const-correctness. For example:\nstatic void *CloneStringShim(const void *p) {\nreturn (void *) ConstantString((const char *) p);\n}\n\n/* When setting splay-tree clone_value, use CloneStringShim instead of ConstantString. */\n\nAlternatively, update the clone callback typedefs to use const void* consistently (and return void*) and ensure callers pass a correctly typed wrapper.\n\nArtifacts\nMinimised PoC: attached (poc.bin, 2 bytes; base64 HAI=)\nHarness source and exact build command (attached)\nFull UBSan trace (attached)\nCommit SHA and configure flags (above)\nCredits\nDiscovered by: Lumina Mescuwa\nMethod: libFuzzer + UBSan\nVerification\n- UBSan build: Reproduces with `halt_on_error=1`; aborts at `MagickCore/splay-tree.c:372`.\n- Non-sanitized Homebrew build (macOS arm64, clang 20.1.8): No crash; repro completes silently.",
"id": "GHSA-6hgw-6x87-578x",
"modified": "2025-08-25T16:23:52Z",
"published": "2025-08-25T16:23:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55160"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree"
}
GHSA-9R85-XF24-6724
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-25 21:30Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
{
"affected": [],
"aliases": [
"CVE-2026-4718"
],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:07Z",
"severity": "HIGH"
},
"details": "Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox \u003c 149 and Firefox ESR \u003c 140.9.",
"id": "GHSA-9r85-xf24-6724",
"modified": "2026-03-25T21:30:27Z",
"published": "2026-03-24T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4718"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014864"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CH89-5G45-QWC7
Vulnerability from github – Published: 2023-04-27 17:08 – Updated: 2025-05-02 12:52Impact
Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues.
The underlying problem is that Wasmtime's runtime state for an instance involves a Rust-defined structure called Instance which has a trailing VMContext structure after it. This VMContext structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so unsafe code is required to maintain this state. The code doing this, however, has methods which take &self as an argument but modify data in the VMContext part of the allocation. This means that pointers derived from &self are mutated. This is typically not allowed, except in the presence of UnsafeCell, in Rust. When compiled to LLVM these functions have noalias readonly parameters which means it's UB to write through the pointers.
Wasmtime's internal representation and management of VMContext has been updated to use &mut self methods where appropriate. Additionally verification tools for unsafe code in Rust, such as cargo miri, are planned to be executed on the main branch soon to fix any Rust-level issues that may be exploited in future compiler versions.
Precomplied binaries available for Wasmtime from GitHub releases have been compiled with at most LLVM 15 so are not known to be vulnerable. As mentioned above, however, it's still recommended to update.
Patches
Wasmtime version 6.0.2, 7.0.1, and 8.0.1 have been issued which contain the patch necessary to work correctly on LLVM 16 and have no known UB on LLVM 15 and earlier.
Workarounds
If Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues. There is a theoretical possibility for UB to exploited, however, so it's recommended that users upgrade to a patched version of Wasmtime. Users using beta Rust (1.70 at this time) or nightly Rust (1.71 at this time) must update to a patched version to work correctly.
References
For more information
If you have any questions or comments about this advisory:
- Reach out to us on the Bytecode Alliance Zulip chat
- Open an issue in the bytecodealliance/wasmtime repository
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-30624"
],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-27T17:08:37Z",
"nvd_published_at": "2023-04-27T17:15:08Z",
"severity": "LOW"
},
"details": "### Impact\n\nWasmtime\u0027s implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues.\n\nThe underlying problem is that Wasmtime\u0027s runtime state for an instance involves a Rust-defined structure called `Instance` which has a trailing `VMContext` structure after it. This `VMContext` structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so `unsafe` code is required to maintain this state. The code doing this, however, has methods which take `\u0026self` as an argument but modify data in the `VMContext` part of the allocation. This means that pointers derived from `\u0026self` are mutated. This is typically not allowed, except in the presence of `UnsafeCell`, in Rust. When compiled to LLVM these functions have `noalias readonly` parameters which means it\u0027s UB to write through the pointers.\n\nWasmtime\u0027s internal representation and management of `VMContext` has been updated to use `\u0026mut self` methods where appropriate. Additionally verification tools for `unsafe` code in Rust, such as `cargo miri`, are planned to be executed on the `main` branch soon to fix any Rust-level issues that may be exploited in future compiler versions.\n\nPrecomplied binaries available for Wasmtime from GitHub releases have been compiled with at most LLVM 15 so are not known to be vulnerable. As mentioned above, however, it\u0027s still recommended to update.\n\n### Patches\n\nWasmtime version 6.0.2, 7.0.1, and 8.0.1 have been issued which contain the patch necessary to work correctly on LLVM 16 and have no known UB on LLVM 15 and earlier. \n\n### Workarounds\n\nIf Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues. There is a theoretical possibility for UB to exploited, however, so it\u0027s recommended that users upgrade to a patched version of Wasmtime. Users using beta Rust (1.70 at this time) or nightly Rust (1.71 at this time) must update to a patched version to work correctly.\n\n### References\n\n* [GitHub Advisory](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7)\n* [Mailing list announcement](https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/ecK-6G2yi90)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime)\n* Open an issue in [the bytecodealliance/wasmtime repository](https://github.com/bytecodealliance/wasmtime/)",
"id": "GHSA-ch89-5g45-qwc7",
"modified": "2025-05-02T12:52:55Z",
"published": "2023-04-27T17:08:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30624"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/ecK-6G2yi90"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0092.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Undefined Behavior in Rust runtime functions"
}
GHSA-GFXP-F68G-8X78
Vulnerability from github – Published: 2025-09-15 13:57 – Updated: 2025-09-15 13:57In version 0.0.4, libyml::string::yaml_string_extend was revised resulting in undefined behaviour, which is unsound.
The GitHub project for libyml was archived after unsoundness issues were raised.
If you rely on this crate, it is highly recommended switching to a maintained alternative.
Recommended alternatives
libyaml-saferunsafe-libyaml-norway- Maintained fork ofunsafe-libyaml
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libyml"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.4"
},
{
"last_affected": "0.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T13:57:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "In version 0.0.4, `libyml::string::yaml_string_extend` was revised resulting in undefined behaviour, which is unsound.\n\nThe GitHub project for `libyml` was archived after unsoundness issues were raised.\n\nIf you rely on this crate, it is highly recommended switching to a maintained alternative.\n\n## Recommended alternatives\n\n- [`libyaml-safer`](https://crates.io/crates/libyaml-safer) \n- [`unsafe-libyaml-norway`](https://crates.io/crates/unsafe-libyaml-norway) - Maintained fork of `unsafe-libyaml`",
"id": "GHSA-gfxp-f68g-8x78",
"modified": "2025-09-15T13:57:29Z",
"published": "2025-09-15T13:57:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rustsec/advisory-db/issues/2395"
},
{
"type": "PACKAGE",
"url": "https://github.com/sebastienrousseau/libyml"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0067.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LibYML: `libyml::string::yaml_string_extend` is unsound and unmaintained"
}
GHSA-J97Q-98F4-5WQ3
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-25 21:30Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149.
{
"affected": [],
"aliases": [
"CVE-2026-4724"
],
"database_specific": {
"cwe_ids": [
"CWE-758"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:08Z",
"severity": "CRITICAL"
},
"details": "Undefined behavior in the Audio/Video component. This vulnerability affects Firefox \u003c 149.",
"id": "GHSA-j97q-98f4-5wq3",
"modified": "2026-03-25T21:30:28Z",
"published": "2026-03-24T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4724"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014865"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.