CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-Q7CG-457F-VX79
Vulnerability from github – Published: 2026-06-11 13:27 – Updated: 2026-06-12 19:28Impact
Denial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas.
The blast radius depends on how the application invokes joi:
- Highest impact: validate() called without try/catch in a request handler would cause an unhandled exception, potentially crashing the process.
- Lower impact: validateAsync() or validate() inside a try/catch, the validation fails, but the error type is RangeError rather than a structured ValidationError, complicating error handling.
Patches
Upgrade to version >= 18.2.1.
Workarounds
Try/catch the validation to avoid uncaught exceptions.
References
- Pull request: hapijs/joi#3113
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "joi"
},
"ranges": [
{
"events": [
{
"introduced": "18.0.0"
},
{
"fixed": "18.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "joi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "17.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48038"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:27:32Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nDenial of service via untrapped exception in services validating user-supplied JSON / object input with recursive link schemas. \n\nThe blast radius depends on how the application invokes joi:\n- Highest impact: `validate()` called without `try/catch` in a request handler would cause an unhandled exception, potentially crashing the process.\n- Lower impact: `validateAsync()` or `validate()` inside a `try/catch`, the validation fails, but the error type is `RangeError` rather than a structured `ValidationError`, complicating error handling.\n\n### Patches\nUpgrade to version \u003e= 18.2.1.\n\n### Workarounds\nTry/catch the validation to avoid uncaught exceptions.\n\n### References\n- Pull request: hapijs/joi#3113",
"id": "GHSA-q7cg-457f-vx79",
"modified": "2026-06-12T19:28:27Z",
"published": "2026-06-11T13:27:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapijs/joi/security/advisories/GHSA-q7cg-457f-vx79"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/joi/pull/3113"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/joi/commit/2392713d3e9dd91ba752ac0c96e0eaf3d24b9a11"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapijs/joi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas"
}
GHSA-Q7H6-X952-46FM
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an uncaught exception. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-47480"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T20:17:03Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an uncaught exception. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-q7h6-x952-46fm",
"modified": "2026-07-14T21:32:17Z",
"published": "2026-07-14T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47480"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8P5-C986-46JG
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02A vulnerability has been identified in SIMATIC CP 443-1 OPC UA (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V2.7), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants) (All versions < V15.1 Upd 4), SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants) (All versions < V15.1 Upd 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15.1 Upd 4), SIMATIC IPC DiagMonitor (All versions < V5.1.3), SIMATIC NET PC Software V13 (All versions), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC RF188C (All versions < V1.1.0), SIMATIC RF600R (All versions < V3.2.1), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions >= V2.5 < V2.6.1), SIMATIC S7-1500 Software Controller (All versions between V2.5 (including) and V2.7 (excluding)), SIMATIC WinCC OA (All versions < V3.15 P018), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Upd 4), SINEC-NMS (All versions < V1.0 SP1), SINEMA Server (All versions < V14 SP2), SINUMERIK OPC UA Server (All versions < V2.1), TeleControl Server Basic (All versions). Specially crafted network packets sent to affected devices on port 4840/tcp could allow an unauthenticated remote attacker to cause a denial of service condition of the OPC communication or crash the device. The security vulnerability could be exploited by an attacker with network access to the affected systems. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the OPC communication.
{
"affected": [],
"aliases": [
"CVE-2019-6575"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-17T14:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC CP 443-1 OPC UA (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions \u003c V2.7), SIMATIC HMI Comfort Outdoor Panels 7\" \u0026 15\" (incl. SIPLUS variants) (All versions \u003c V15.1 Upd 4), SIMATIC HMI Comfort Panels 4\" - 22\" (incl. SIPLUS variants) (All versions \u003c V15.1 Upd 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions \u003c V15.1 Upd 4), SIMATIC IPC DiagMonitor (All versions \u003c V5.1.3), SIMATIC NET PC Software V13 (All versions), SIMATIC NET PC Software V14 (All versions \u003c V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC RF188C (All versions \u003c V1.1.0), SIMATIC RF600R (All versions \u003c V3.2.1), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions \u003e= V2.5 \u003c V2.6.1), SIMATIC S7-1500 Software Controller (All versions between V2.5 (including) and V2.7 (excluding)), SIMATIC WinCC OA (All versions \u003c V3.15 P018), SIMATIC WinCC Runtime Advanced (All versions \u003c V15.1 Upd 4), SINEC-NMS (All versions \u003c V1.0 SP1), SINEMA Server (All versions \u003c V14 SP2), SINUMERIK OPC UA Server (All versions \u003c V2.1), TeleControl Server Basic (All versions). Specially crafted network packets sent to affected devices on port 4840/tcp could allow an unauthenticated remote attacker to cause a denial of service condition of the OPC communication or crash the device. The security vulnerability could be exploited by an attacker with network access to the affected systems. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the OPC communication.",
"id": "GHSA-q8p5-c986-46jg",
"modified": "2022-05-13T01:02:36Z",
"published": "2022-05-13T01:02:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6575"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-307392.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8RX-W8H7-J8XW
Vulnerability from github – Published: 2024-02-21 21:30 – Updated: 2024-09-27 18:32Malformed S2 Nonce Get Command Class packets can be sent to crash PC Controller v5.54.0 and earlier.
{
"affected": [],
"aliases": [
"CVE-2023-6640"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T20:15:46Z",
"severity": "MODERATE"
},
"details": "Malformed S2 Nonce Get Command Class packets can be sent to crash PC Controller v5.54.0 and earlier.\u00a0",
"id": "GHSA-q8rx-w8h7-j8xw",
"modified": "2024-09-27T18:32:20Z",
"published": "2024-02-21T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6640"
},
{
"type": "WEB",
"url": "https://community.silabs.com/068Vm000001HdNm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9MW-68C2-J6M5
Vulnerability from github – Published: 2023-05-03 21:56 – Updated: 2025-02-13 18:54Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
This impacts all the users of the engine.io package, including those who uses depending packages like socket.io.
Patches
A fix has been released today (2023/05/02): 6.4.2
This bug was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted.
For socket.io users:
| Version range | engine.io version |
Needs minor update? |
|---|---|---|
socket.io@4.6.x |
~6.4.0 |
npm audit fix should be sufficient |
socket.io@4.5.x |
~6.2.0 |
Please upgrade to socket.io@4.6.x |
socket.io@4.4.x |
~6.1.0 |
Please upgrade to socket.io@4.6.x |
socket.io@4.3.x |
~6.0.0 |
Please upgrade to socket.io@4.6.x |
socket.io@4.2.x |
~5.2.0 |
Please upgrade to socket.io@4.6.x |
socket.io@4.1.x |
~5.1.1 |
Please upgrade to socket.io@4.6.x |
socket.io@4.0.x |
~5.0.0 |
Not impacted |
socket.io@3.1.x |
~4.1.0 |
Not impacted |
socket.io@3.0.x |
~4.0.0 |
Not impacted |
socket.io@2.5.0 |
~3.6.0 |
Not impacted |
socket.io@2.4.x and below |
~3.5.0 |
Not impacted |
Workarounds
There is no known workaround except upgrading to a safe version.
For more information
If you have any questions or comments about this advisory:
- Open an issue in
engine.io
Thanks to Thomas Rinsma from Codean for the responsible disclosure.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "engine.io"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "6.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31125"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-03T21:56:51Z",
"nvd_published_at": "2023-05-08T21:15:11Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot read properties of undefined (reading \u0027handlesUpgrades\u0027)\n at Server.onWebSocket (build/server.js:515:67)\n```\n\nThis impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io).\n\n### Patches\n\nA fix has been released today (2023/05/02): [6.4.2](https://github.com/socketio/engine.io/releases/tag/6.4.2)\n\nThis bug was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted.\n\nFor `socket.io` users:\n\n| Version range | `engine.io` version | Needs minor update? |\n|-----------------------------|---------------------|--------------------------------------------------------------------------------------------------------|\n| `socket.io@4.6.x` | `~6.4.0` | `npm audit fix` should be sufficient |\n| `socket.io@4.5.x` | `~6.2.0` | Please upgrade to `socket.io@4.6.x` |\n| `socket.io@4.4.x` | `~6.1.0` | Please upgrade to `socket.io@4.6.x` |\n| `socket.io@4.3.x` | `~6.0.0` | Please upgrade to `socket.io@4.6.x` |\n| `socket.io@4.2.x` | `~5.2.0` | Please upgrade to `socket.io@4.6.x` |\n| `socket.io@4.1.x` | `~5.1.1` | Please upgrade to `socket.io@4.6.x` |\n| `socket.io@4.0.x` | `~5.0.0` | Not impacted |\n| `socket.io@3.1.x` | `~4.1.0` | Not impacted |\n| `socket.io@3.0.x` | `~4.0.0` | Not impacted |\n| `socket.io@2.5.0` | `~3.6.0` | Not impacted |\n| `socket.io@2.4.x` and below | `~3.5.0` | Not impacted |\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`engine.io`](https://github.com/socketio/engine.io)\n\nThanks to Thomas Rinsma from Codean for the responsible disclosure.",
"id": "GHSA-q9mw-68c2-j6m5",
"modified": "2025-02-13T18:54:10Z",
"published": "2023-05-03T21:56:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/socketio/engine.io/security/advisories/GHSA-q9mw-68c2-j6m5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31125"
},
{
"type": "WEB",
"url": "https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44"
},
{
"type": "PACKAGE",
"url": "https://github.com/socketio/engine.io"
},
{
"type": "WEB",
"url": "https://github.com/socketio/engine.io/releases/tag/6.4.2"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230622-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "engine.io Uncaught Exception vulnerability"
}
GHSA-QJ59-CXRX-FR36
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2026-05-29 15:30A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus.
{
"affected": [],
"aliases": [
"CVE-2018-7852"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-22T20:29:00Z",
"severity": "HIGH"
},
"details": "A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus.",
"id": "GHSA-qj59-cxrx-fr36",
"modified": "2026-05-29T15:30:21Z",
"published": "2022-05-24T16:46:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7852"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0763"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJRV-V6QP-X99X
Vulnerability from github – Published: 2024-10-08 22:20 – Updated: 2024-10-08 22:20The error rendering code from the parser would panic when handling failed parsing of queries where the error occurred when converting an empty string to a SurrealDB value. This would be the case when casting an empty string to a record, duration or datetime, as well as potentially when parsing an empty string to JSON or providing an empty string to the type::field and type::fields functions.
Impact
A client that is authorized to run queries in a SurrealDB server would be able to execute a malformed query which would fail to parse when converting an empty string and cause a panic in the error rendering code. This would crash the server, leading to denial of service.
Patches
- Version 2.0.4 and later are not affected by this issue.
Workarounds
Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-08T22:20:02Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The error rendering code from the parser would panic when handling failed parsing of queries where the error occurred when converting an empty string to a SurrealDB value. This would be the case when casting an empty string to a `record`, `duration` or `datetime`, as well as potentially when parsing an empty string to JSON or providing an empty string to the `type::field` and `type::fields` functions.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server would be able to execute a malformed query which would fail to parse when converting an empty string and cause a panic in the error rendering code. This would crash the server, leading to denial of service.\n\n### Patches\n\n- Version 2.0.4 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.",
"id": "GHSA-qjrv-v6qp-x99x",
"modified": "2024-10-08T22:20:02Z",
"published": "2024-10-08T22:20:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-qjrv-v6qp-x99x"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/4923"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/709d6efe901dbf3e207b4fc2ebc30775595efc16"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SurrealDB has an Uncaught Exception Handling Parsing Errors on Empty Strings"
}
GHSA-QP34-X42W-4GFQ
Vulnerability from github – Published: 2025-12-02 03:31 – Updated: 2025-12-02 15:30In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689252; Issue ID: MSV-4841.
{
"affected": [],
"aliases": [
"CVE-2025-20753"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-02T03:16:16Z",
"severity": "MODERATE"
},
"details": "In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689252; Issue ID: MSV-4841.",
"id": "GHSA-qp34-x42w-4gfq",
"modified": "2025-12-02T15:30:30Z",
"published": "2025-12-02T03:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20753"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPFX-PHG6-H966
Vulnerability from github – Published: 2025-06-12 21:30 – Updated: 2025-06-12 21:30AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost.
{
"affected": [],
"aliases": [
"CVE-2025-44019"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T20:15:21Z",
"severity": "HIGH"
},
"details": "AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if \nexploited, could allow an authenticated user to shut down certain \nnecessary PI Data Archive subsystems, resulting in a denial of service. \nDepending on the timing of the crash, data present in snapshots/write \ncache may be lost.",
"id": "GHSA-qpfx-phg6-h966",
"modified": "2025-06-12T21:30:31Z",
"published": "2025-06-12T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-44019"
},
{
"type": "WEB",
"url": "https://my.osisoft.com"
},
{
"type": "WEB",
"url": "https://www.aveva.com/en/support-and-success/cyber-security-updates"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QQFJ-4VCM-26HV
Vulnerability from github – Published: 2026-04-09 20:22 – Updated: 2026-04-24 21:03On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests.
Details
The f64x2.splat operator, when operating on a value loaded from a memory (for example with f64.load), compiles with Cranelift to code on x86-64 without SSE3 that loads 128 bits (16 bytes) rather than the expected 64 bits (8 bytes) from memory. When the address is in-bounds for a (correct) 8-byte load but not an (incorrect) 16-byte load, this can load beyond memory by up to 8 bytes. This can result in three different behaviors depending on Wasmtime's configuration:
- If guard pages are disabled then this extra data will be loaded. The extra data is present in the upper bits of a register, but the upper bits are not visible to WebAssembly guests. Actually witnessing this data would require a different bug in Cranelift, of which none are known. Thus in this situation while it's something we're patching in Cranelift it's not a security issue.
- If guard pages are enabled, and signals-based-traps are enabled, then this operation will result in a safe WebAssembly trap. The trap is incorrect because the load is not out-of-bounds as defined by WebAssembly, but this mistakenly widened load will load bytes from an unmapped guard page, causing a segfault which is caught and handled as a Wasm trap. In this situation this is not a security issue, but we're patching Cranelift to fix the WebAssembly behavior.
- If guard pages are enabled, and signals-based-traps are disabled, then this operation results in an uncaught segfault. Like the previous case with guard pages enabled this will load from an unmapped guard page. Unlike before, however, signals-based-traps are disabled meaning that signal handlers aren't configured. The resulting segfault will, by default, terminate the process. This is a security issue from a DoS perspective, but does not represent an arbitrary read or write from WebAssembly, for example.
Wasmtime's default configuration is case (2) in this case. That means that Wasmtime, by default, incorrectly executes this WebAssembly instruction but does not have insecure behavior.
Impact
If signals-based-traps are disabled and guard pages are enabled then guests can trigger an uncaught segfault in the host, likely aborting the host process. This represents, for example, a DoS vector for WebAssembly guests.
This bug does not affect Wasmtime's default configuration and requires signals-based-traps to be disabled. This bug only affects the x86-64 target with the SSE3 feature disabled and the Cranelift backend (Wasmtime's default backend).
Patches
Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.
Workarounds
This bug only affects x86-64 hosts where SSE3 is disabled. If SSE3 is enabled or if a non-x86-64 host is used then hosts are not affect. Otherwise there are no known workarounds to this issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "25.0.0"
},
{
"fixed": "36.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "37.0.0"
},
{
"fixed": "42.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "43.0.0"
},
{
"fixed": "43.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"43.0.0"
]
}
],
"aliases": [
"CVE-2026-34944"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T20:22:45Z",
"nvd_published_at": "2026-04-09T19:16:24Z",
"severity": "MODERATE"
},
"details": "On x86-64 platforms with SSE3 disabled Wasmtime\u0027s compilation of the `f64x2.splat` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When [signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps) are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it\u0027s possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests.\n\n### Details\n\nThe `f64x2.splat` operator, when operating on a value loaded from a memory (for example with f64.load), compiles with Cranelift to code on x86-64 without SSE3 that loads 128 bits (16 bytes) rather than the expected 64 bits (8 bytes) from memory. When the address is in-bounds for a (correct) 8-byte load but not an (incorrect) 16-byte load, this can load beyond memory by up to 8 bytes. This can result in three different behaviors depending on Wasmtime\u0027s configuration:\n\n1. If guard pages are disabled then this extra data will be loaded. The extra data is present in the upper bits of a register, but the upper bits are not visible to WebAssembly guests. Actually witnessing this data would require a different bug in Cranelift, of which none are known. Thus in this situation while it\u0027s something we\u0027re patching in Cranelift it\u0027s not a security issue.\n2. If guard pages are enabled, and [signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps) are enabled, then this operation will result in a safe WebAssembly trap. The trap is incorrect because the load is not out-of-bounds as defined by WebAssembly, but this mistakenly widened load will load bytes from an unmapped guard page, causing a segfault which is caught and handled as a Wasm trap. In this situation this is not a security issue, but we\u0027re patching Cranelift to fix the WebAssembly behavior.\n3. If guard pages are enabled, and [signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps) are disabled, then this operation results in an uncaught segfault. Like the previous case with guard pages enabled this will load from an unmapped guard page. Unlike before, however, signals-based-traps are disabled meaning that signal handlers aren\u0027t configured. The resulting segfault will, by default, terminate the process. This is a security issue from a DoS perspective, but does not represent an arbitrary read or write from WebAssembly, for example.\n\nWasmtime\u0027s default configuration is case (2) in this case. That means that Wasmtime, by default, incorrectly executes this \nWebAssembly instruction but does not have insecure behavior.\n\n### Impact\n\nIf [signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps) are disabled and guard pages are enabled then guests can trigger an uncaught segfault in the host, likely aborting the host process. This represents, for example, a DoS vector for WebAssembly guests.\n\nThis bug does not affect Wasmtime\u0027s default configuration and requires [signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps) to be disabled. This bug only affects the x86-64 target with the SSE3 feature disabled and the Cranelift backend (Wasmtime\u0027s default backend).\n\n### Patches\n\nWasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nThis bug only affects x86-64 hosts where SSE3 is disabled. If SSE3 is enabled or if a non-x86-64 host is used then hosts are not affect. Otherwise there are no known workarounds to this issue.",
"id": "GHSA-qqfj-4vcm-26hv",
"modified": "2026-04-24T21:03:37Z",
"published": "2026-04-09T20:22:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34944"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0087.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64 "
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.