Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

421 vulnerabilities reference this CWE, most recent first.

GHSA-PQ7C-X8G4-RVP6

Vulnerability from github – Published: 2026-05-18 20:22 – Updated: 2026-06-09 10:58
VLAI
Summary
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes
Details

Summary

Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.

Details

The affected routes are the per-component resource route (added in v1.4.6) and the ESM module route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to FileResponse. The existing existence check uses pathlib.Path.exists(), which returns True for directories — so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.

FastAPI has no default handler for RuntimeError, so each such request results in a 500 response and a multi-frame traceback in the server log.

Other NiceGUI-served paths (/static/..., /components/..., /libraries/...) are not affected; they do not use the same sub-path-to-FileResponse pattern.

Impact

A remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:

  • exhaust disk space on hosts with default log retention,
  • saturate downstream log-shipping pipelines,
  • generate alert fatigue or mask other events in monitoring.

There is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.

Workarounds

For deployments that cannot upgrade immediately:

  • Place NiceGUI behind a reverse proxy that rejects requests where the path after /_nicegui/<version>/esm/<key>/ or /_nicegui/<version>/resources/<key>/ is empty.
  • Rate-limit the /_nicegui/ prefix at the proxy.
  • Configure log rotation aggressively for the affected service.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.11.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "nicegui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:22:07Z",
    "nvd_published_at": "2026-06-02T16:16:41Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nTwo FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled `RuntimeError` inside Starlette\u0027s `FileResponse`, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.\n\n### Details\n\nThe affected routes are the per-component **resource** route (added in v1.4.6) and the **ESM module** route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to `FileResponse`. The existing existence check uses `pathlib.Path.exists()`, which returns `True` for directories \u2014 so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.\n\nFastAPI has no default handler for `RuntimeError`, so each such request results in a 500 response and a multi-frame traceback in the server log.\n\nOther NiceGUI-served paths (`/static/...`, `/components/...`, `/libraries/...`) are not affected; they do not use the same sub-path-to-`FileResponse` pattern.\n\n### Impact\n\nA remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:\n\n- exhaust disk space on hosts with default log retention,\n- saturate downstream log-shipping pipelines,\n- generate alert fatigue or mask other events in monitoring.\n\nThere is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.\n\n### Workarounds\n\nFor deployments that cannot upgrade immediately:\n\n- Place NiceGUI behind a reverse proxy that rejects requests where the path after `/_nicegui/\u003cversion\u003e/esm/\u003ckey\u003e/` or `/_nicegui/\u003cversion\u003e/resources/\u003ckey\u003e/` is empty.\n- Rate-limit the `/_nicegui/` prefix at the proxy.\n- Configure log rotation aggressively for the affected service.",
  "id": "GHSA-pq7c-x8g4-rvp6",
  "modified": "2026-06-09T10:58:12Z",
  "published": "2026-05-18T20:22:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45554"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zauberzeug/nicegui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes"
}

GHSA-PQ9F-H5GQ-3577

Vulnerability from github – Published: 2026-04-28 00:31 – Updated: 2026-04-28 00:31
VLAI
Details

A vulnerability has been found in aligungr UERANSIM up to 3.2.7. The affected element is the function rls::DecodeRlsMessage in the library src/lib/rls/rls_pdu.cpp of the component Radio Link Simulation Layer. The manipulation of the argument pduLength leads to uncaught exception. The attack may be initiated remotely. Upgrading to version 3.2.8 is sufficient to fix this issue. The identifier of the patch is ca1a66fffe282767bb08618af9f848e3b68ea47b. It is suggested to upgrade the affected component. This behavior is related to CVE-2024-37877. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-27T23:16:03Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in aligungr UERANSIM up to 3.2.7. The affected element is the function rls::DecodeRlsMessage in the library src/lib/rls/rls_pdu.cpp of the component Radio Link Simulation Layer. The manipulation of the argument pduLength leads to uncaught exception. The attack may be initiated remotely. Upgrading to version 3.2.8 is sufficient to fix this issue. The identifier of the patch is ca1a66fffe282767bb08618af9f848e3b68ea47b. It is suggested to upgrade the affected component. This behavior is related to CVE-2024-37877. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
  "id": "GHSA-pq9f-h5gq-3577",
  "modified": "2026-04-28T00:31:41Z",
  "published": "2026-04-28T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aligungr/UERANSIM/commit/ca1a66fffe282767bb08618af9f848e3b68ea47b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aligungr/UERANSIM"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aligungr/UERANSIM/releases/tag/v3.2.8"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/800026"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/359784"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/359784/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PV25-8Q8X-9236

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Uncaught exception in Microsoft Office allows an unauthorized attacker to deny service locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:16:03Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught exception in Microsoft Office allows an unauthorized attacker to deny service locally.",
  "id": "GHSA-pv25-8q8x-9236",
  "modified": "2025-10-14T18:30:34Z",
  "published": "2025-10-14T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59229"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVVP-CJFG-4JV4

Vulnerability from github – Published: 2025-02-14 00:30 – Updated: 2025-02-14 00:30
VLAI
Details

With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. This would prevent the device from connecting to a clinician's app to take patient readings and ostensibly flood it with requests, resulting in a denial-of-service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-13T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "With a specially crafted Python script, an attacker could send \ncontinuous startMeasurement commands over an unencrypted Bluetooth \nconnection to the affected device. This would prevent the device from \nconnecting to a clinician\u0027s app to take patient readings and ostensibly \nflood it with requests, resulting in a denial-of-service condition.",
  "id": "GHSA-pvvp-cjfg-4jv4",
  "modified": "2025-02-14T00:30:44Z",
  "published": "2025-02-14T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24836"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01"
    },
    {
      "type": "WEB",
      "url": "https://www.qardio.com/about-us/#contact"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PW39-F3M5-CXFC

Vulnerability from github – Published: 2024-03-29 12:30 – Updated: 2025-05-27 17:50
VLAI
Summary
Elasticsearch Uncaught Exception leading to crash
Details

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.4.0"
            },
            {
              "fixed": "8.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-29T15:58:06Z",
    "nvd_published_at": "2024-03-29T12:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An uncaught exception in Elasticsearch \u003e= 8.4.0 and \u003c 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.",
  "id": "GHSA-pw39-f3m5-cxfc",
  "modified": "2025-05-27T17:50:43Z",
  "published": "2024-03-29T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/elastic/elasticsearch/commit/a59180459a3cb30b71399d778943cab4ac2191c4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/elastic/elasticsearch/commit/f9bf18a716613473fc1cb96c838874e1f9f6ba22"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elasticsearch-8-11-1-security-update-esa-2024-05/356458"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elastic/elasticsearch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elasticsearch Uncaught Exception leading to crash"
}

GHSA-PW96-688C-5HRV

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

Uncaught exception in the firmware for some 100GbE Intel(R) Ethernet Controller E810 before version cvl fw 1.7.8.x within Ring 0: Bare Metal OS may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T17:16:12Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught exception in the firmware for some 100GbE Intel(R) Ethernet Controller E810 before version cvl fw 1.7.8.x within Ring 0: Bare Metal OS may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
  "id": "GHSA-pw96-688c-5hrv",
  "modified": "2026-02-10T18:30:39Z",
  "published": "2026-02-10T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24851"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01171.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q26P-9CQ4-7FC2

Vulnerability from github – Published: 2025-01-30 17:51 – Updated: 2025-03-17 20:25
VLAI
Summary
Go Ethereum vulnerable to DoS via malicious p2p message
Details

Impact

A vulnerable node can be forced to shutdown/crash using a specially crafted message.

During the peer-to-peer connection handshake, a shared secret key is computed. The implementation did not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve. By simply sending an all-zero public key, a crash could be induced due to unexpected results from the handshake.

The issue was fixed by adding a curve point validity check in https://github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3

Patches

A fix has been included in geth version 1.14.13 and onwards.

Workarounds

Unfortunately, no workaround is available.

Credits

This issue was originally reported to Polygon Security by David Matosse (@iam-ned).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ethereum/go-ethereum"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-30T17:51:57Z",
    "nvd_published_at": "2025-01-30T16:15:31Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA vulnerable node can be forced to shutdown/crash using a specially crafted message.\n\nDuring the peer-to-peer connection handshake, a shared secret key is computed. The implementation\ndid not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve.\nBy simply sending an all-zero public key, a crash could be induced due to unexpected results from the handshake.\n\nThe issue was fixed by adding a curve point validity check in https://github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3\n\n### Patches\n\nA fix has been included in geth version 1.14.13 and onwards.\n\n### Workarounds\n\nUnfortunately, no workaround is available.\n\n### Credits\n\nThis issue was originally reported to Polygon Security by David Matosse (@iam-ned).",
  "id": "GHSA-q26p-9cq4-7fc2",
  "modified": "2025-03-17T20:25:21Z",
  "published": "2025-01-30T17:51:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24883"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/commit/fa9a2ff8687ec9efe57b4b9833d5590d20f8a83f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethereum/go-ethereum"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3436"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Go Ethereum vulnerable to DoS via malicious p2p message"
}

GHSA-Q3G5-4MM2-R2Q8

Vulnerability from github – Published: 2025-06-12 21:30 – Updated: 2025-06-12 21:30
VLAI
Details

AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-12T20:15:21Z",
    "severity": "HIGH"
  },
  "details": "AVEVA PI Data Archive products \nare vulnerable to an uncaught exception that, if exploited, could allow \nan authenticated user to shut down certain necessary PI Data Archive \nsubsystems, resulting in a denial of service.",
  "id": "GHSA-q3g5-4mm2-r2q8",
  "modified": "2025-06-12T21:30:31Z",
  "published": "2025-06-12T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36539"
    },
    {
      "type": "WEB",
      "url": "https://www.aveva.com/en/support-and-success/cyber-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q49F-XG75-M9XW

Vulnerability from github – Published: 2026-04-09 20:23 – Updated: 2026-04-24 21:03
VLAI
Summary
Wasmtime has host panic when Winch compiler executes `table.fill`
Details

Impact

Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic.

The specific issue is that a historical refactoring, #11254, changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table.

Patches

Wasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.

Workarounds

Users of Cranelift are not affected by this issue, but for users of Winch there is no workaround for this bug. Hosts are recommended to updated to a patched version of Wasmtime.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "36.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "37.0.0"
            },
            {
              "fixed": "42.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "43.0.0"
            },
            {
              "fixed": "43.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "43.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T20:23:21Z",
    "nvd_published_at": "2026-04-09T19:16:24Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWasmtime\u0027s Winch compiler contains a vulnerability where the compilation of the `table.fill` instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic.\n\nThe specific issue is that a historical refactoring, #11254, changed how compiled code referenced tables within the `table.*` instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table.\n\n### Patches\n\nWasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nUsers of Cranelift are not affected by this issue, but for users of Winch there is no workaround for this bug. Hosts are recommended to updated to a patched version of Wasmtime.",
  "id": "GHSA-q49f-xg75-m9xw",
  "modified": "2026-04-24T21:03:25Z",
  "published": "2026-04-09T20:23:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34946"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0089.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wasmtime has host panic when Winch compiler executes `table.fill`"
}

GHSA-Q58C-9R4V-FFF6

Vulnerability from github – Published: 2023-11-08 12:30 – Updated: 2024-09-04 21:30
VLAI
Details

Vulnerability of uncaught exceptions in the NFC module. Successful exploitation of this vulnerability can affect NFC availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-08T10:15:09Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of uncaught exceptions in the NFC module. Successful exploitation of this vulnerability can affect NFC availability.",
  "id": "GHSA-q58c-9r4v-fff6",
  "modified": "2024-09-04T21:30:30Z",
  "published": "2023-11-08T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46765"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/11"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202311-0000001729189597"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.