Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-34987 (GCVE-0-2026-34987)
Vulnerability from cvelistv5 – Published: 2026-04-09 18:48 – Updated: 2026-04-10 14:12
VLAI
EPSS
Title
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access
Summary
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Severity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasmtime/secu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasmtime |
Affected:
>= 25.0.0, < 36.0.7
Affected: >= 37.0.0, < 42.0.2 Affected: >= 43.0.0, < 44.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T14:12:37.362283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T14:12:55.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wasmtime",
"vendor": "bytecodealliance",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 36.0.7"
},
{
"status": "affected",
"version": "\u003e= 37.0.0, \u003c 42.0.2"
},
{
"status": "affected",
"version": "\u003e= 43.0.0, \u003c 44.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T18:48:33.552Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83"
}
],
"source": {
"advisory": "GHSA-xx5w-cvp6-jv83",
"discovery": "UNKNOWN"
},
"title": "Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34987",
"datePublished": "2026-04-09T18:48:33.552Z",
"dateReserved": "2026-03-31T19:38:31.617Z",
"dateUpdated": "2026-04-10T14:12:55.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-34987",
"date": "2026-05-28",
"epss": "0.00058",
"percentile": "0.18218"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34987\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T19:16:25.000\",\"lastModified\":\"2026-04-15T13:41:57.870\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"},{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"25.0.0\",\"versionEndExcluding\":\"36.0.7\",\"matchCriteriaId\":\"B5AB2157-3977-49F9-9058-6B16A2556170\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*\",\"versionStartIncluding\":\"37.0.0\",\"versionEndExcluding\":\"42.0.2\",\"matchCriteriaId\":\"1D7B70EB-93E3-4732-AB70-E6A531178941\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bytecodealliance:wasmtime:43.0.0:*:*:*:*:rust:*:*\",\"matchCriteriaId\":\"9AD0150A-FE79-4EA6-995B-8CAFC7F246B5\"}]}]}],\"references\":[{\"url\":\"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34987\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T14:12:37.362283Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T14:12:41.461Z\"}}], \"cna\": {\"title\": \"Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access\", \"source\": {\"advisory\": \"GHSA-xx5w-cvp6-jv83\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"bytecodealliance\", \"product\": \"wasmtime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 25.0.0, \u003c 36.0.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 37.0.0, \u003c 42.0.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 43.0.0, \u003c 44.0.1\"}]}], \"references\": [{\"url\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83\", \"name\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125: Out-of-bounds Read\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-09T18:48:33.552Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34987\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T14:12:55.374Z\", \"dateReserved\": \"2026-03-31T19:38:31.617Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-09T18:48:33.552Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-34987
Vulnerability from fkie_nvd - Published: 2026-04-09 19:16 - Updated: 2026-04-15 13:41
Severity
Summary
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasmtime | * | |
| bytecodealliance | wasmtime | * | |
| bytecodealliance | wasmtime | 43.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "B5AB2157-3977-49F9-9058-6B16A2556170",
"versionEndExcluding": "36.0.7",
"versionStartIncluding": "25.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "1D7B70EB-93E3-4732-AB70-E6A531178941",
"versionEndExcluding": "42.0.2",
"versionStartIncluding": "37.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:43.0.0:*:*:*:*:rust:*:*",
"matchCriteriaId": "9AD0150A-FE79-4EA6-995B-8CAFC7F246B5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."
}
],
"id": "CVE-2026-34987",
"lastModified": "2026-04-15T13:41:57.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-09T19:16:25.000",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
},
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-XX5W-CVP6-JV83
Vulnerability from github – Published: 2026-04-10 15:31 – Updated: 2026-04-10 15:31
VLAI
Summary
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access
Details
Impact
Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox.
This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice.
This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE.
Patches
Wasmtime 43.0.1, 42.0.2, and 36.0.7 have been released with fixes for this issue.
Workaround
There are no workarounds within the Winch compiler backend while using the affected versions. Users of Wasmtime are encouraged either to upgrade to patched versions or, if that is not possible, use the Cranelift compiler backend.
Severity
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "25.0.0"
},
{
"fixed": "36.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "37.0.0"
},
{
"fixed": "42.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "43.0.0"
},
{
"fixed": "43.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"43.0.0"
]
}
],
"aliases": [
"CVE-2026-34987"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T15:31:18Z",
"nvd_published_at": "2026-04-09T19:16:25Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nWasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox.\n\nThis vulnerability requires use of the Winch compiler (`-Ccompiler=winch`). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice.\n\nThis Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE.\n\n### Patches\n\nWasmtime 43.0.1, 42.0.2, and 36.0.7 have been released with fixes for this issue.\n\n### Workaround\n\nThere are no workarounds within the Winch compiler backend while using the affected versions. Users of Wasmtime are encouraged either to upgrade to patched versions or, if that is not possible, use the Cranelift compiler backend.",
"id": "GHSA-xx5w-cvp6-jv83",
"modified": "2026-04-10T15:31:18Z",
"published": "2026-04-10T15:31:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34987"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0095.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access"
}
rustsec-2026-0095
Vulnerability from osv_rustsec
Published
2026-04-09 12:00
Modified
2026-04-09 19:59
Summary
Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access
Details
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83 For more information see the GitHub-hosted security advisory.
Severity
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "wasmtime",
"purl": "pkg:cargo/wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "36.0.7"
},
{
"introduced": "37.0.0"
},
{
"fixed": "42.0.2"
},
{
"introduced": "43.0.0"
},
{
"fixed": "43.0.1"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"CVE-2026-34987",
"GHSA-xx5w-cvp6-jv83"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "This is an entry in the RustSec database for the Wasmtime security advisory\nlocated at\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83\nFor more information see the GitHub-hosted security advisory.",
"id": "RUSTSEC-2026-0095",
"modified": "2026-04-09T19:59:38Z",
"published": "2026-04-09T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/wasmtime"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0095.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83"
}
],
"related": [],
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access"
}
SUSE-SU-2026:21789-1
Vulnerability from csaf_suse - Published: 2026-05-14 08:09 - Updated: 2026-05-14 08:09Summary
Security update for tree-sitter
Severity
Important
Notes
Title of the patch: Security update for tree-sitter
Description of the patch: This update for tree-sitter fixes the following issues
Security issues:
- CVE-2026-34941: wasmtime: crafted input string can lead to an out-of-bound read (bsc#1261871).
- CVE-2026-34942: wasmtime: unaligned pointers can lead to a denial of service (bsc#1261894).
- CVE-2026-34943: wasmtime: lifting `flags` component value can lead to a denial of service (bsc#1261954).
- CVE-2026-34944: wasmtime: out-of-bounds read during WebAssembly compilation can lead to a denial of service
(bsc#1261963).
- CVE-2026-34945: wasmtime: incorrectly translated table.size could lead to disclosing data (bsc#1262007).
- CVE-2026-34946: wasmtime: denial of service due to WebAssembly compilation error (bsc#1261974).
- CVE-2026-34987: wasmtime: winch compiler backend may allow a sandbox-escaping memory access (bsc#1262032).
- CVE-2026-34988: wasmtime: pooling allocator instances can cause data leakage (bsc#1261968).
- CVE-2026-35186: wasmtime: translating the table.grow operator can cause a masked return value (bsc#1262036).
- CVE-2026-35195: wasmtime: transcoding strings can lead to an out of bound write or a crash (bsc#1262040).
Changes for tree-sitter:
- update to 0.26.8:
* fix(generate): allow disabling qjs-rt feature from CLI by @WillLillis in
#5448
* fix(lib): document invariants that must be upheld for TSInputEdit by
@WillLillis in #5452
* fix(cli): correct typo in parse command's help text by @WillLillis in #5465
* perf(cli): misc. improvements by @tree-sitter-ci-bot[bot] in #5476
* Fix wasm loading of languages w/ multiple reserved word sets by
@tree-sitter-ci-bot[bot] in #5477
* generate: avoid panicking when a supertype only has hidden external token
children by @tree-sitter-ci-bot[bot] in #5478
Patchnames: SUSE-SLES-16.0-743
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.3 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.5 (High)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.3 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.4 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
46 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for tree-sitter",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for tree-sitter fixes the following issues\n\nSecurity issues:\n\n- CVE-2026-34941: wasmtime: crafted input string can lead to an out-of-bound read (bsc#1261871).\n- CVE-2026-34942: wasmtime: unaligned pointers can lead to a denial of service (bsc#1261894).\n- CVE-2026-34943: wasmtime: lifting `flags` component value can lead to a denial of service (bsc#1261954).\n- CVE-2026-34944: wasmtime: out-of-bounds read during WebAssembly compilation can lead to a denial of service\n (bsc#1261963).\n- CVE-2026-34945: wasmtime: incorrectly translated table.size could lead to disclosing data (bsc#1262007).\n- CVE-2026-34946: wasmtime: denial of service due to WebAssembly compilation error (bsc#1261974).\n- CVE-2026-34987: wasmtime: winch compiler backend may allow a sandbox-escaping memory access (bsc#1262032).\n- CVE-2026-34988: wasmtime: pooling allocator instances can cause data leakage (bsc#1261968).\n- CVE-2026-35186: wasmtime: translating the table.grow operator can cause a masked return value (bsc#1262036).\n- CVE-2026-35195: wasmtime: transcoding strings can lead to an out of bound write or a crash (bsc#1262040).\n\nChanges for tree-sitter:\n\n- update to 0.26.8:\n\n * fix(generate): allow disabling qjs-rt feature from CLI by @WillLillis in\n #5448\n * fix(lib): document invariants that must be upheld for TSInputEdit by\n @WillLillis in #5452\n * fix(cli): correct typo in parse command\u0027s help text by @WillLillis in #5465\n * perf(cli): misc. improvements by @tree-sitter-ci-bot[bot] in #5476\n * Fix wasm loading of languages w/ multiple reserved word sets by\n @tree-sitter-ci-bot[bot] in #5477\n * generate: avoid panicking when a supertype only has hidden external token\n children by @tree-sitter-ci-bot[bot] in #5478\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-743",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21789-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21789-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621789-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21789-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046824.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259205",
"url": "https://bugzilla.suse.com/1259205"
},
{
"category": "self",
"summary": "SUSE Bug 1261839",
"url": "https://bugzilla.suse.com/1261839"
},
{
"category": "self",
"summary": "SUSE Bug 1261871",
"url": "https://bugzilla.suse.com/1261871"
},
{
"category": "self",
"summary": "SUSE Bug 1261894",
"url": "https://bugzilla.suse.com/1261894"
},
{
"category": "self",
"summary": "SUSE Bug 1261954",
"url": "https://bugzilla.suse.com/1261954"
},
{
"category": "self",
"summary": "SUSE Bug 1261963",
"url": "https://bugzilla.suse.com/1261963"
},
{
"category": "self",
"summary": "SUSE Bug 1261968",
"url": "https://bugzilla.suse.com/1261968"
},
{
"category": "self",
"summary": "SUSE Bug 1261974",
"url": "https://bugzilla.suse.com/1261974"
},
{
"category": "self",
"summary": "SUSE Bug 1262007",
"url": "https://bugzilla.suse.com/1262007"
},
{
"category": "self",
"summary": "SUSE Bug 1262032",
"url": "https://bugzilla.suse.com/1262032"
},
{
"category": "self",
"summary": "SUSE Bug 1262036",
"url": "https://bugzilla.suse.com/1262036"
},
{
"category": "self",
"summary": "SUSE Bug 1262040",
"url": "https://bugzilla.suse.com/1262040"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34941 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34941/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34942 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34942/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34943 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34943/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34944 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34944/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34945 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34945/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34946 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34946/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34987 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34987/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34988 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34988/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35195 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35195/"
}
],
"title": "Security update for tree-sitter",
"tracking": {
"current_release_date": "2026-05-14T08:09:11Z",
"generator": {
"date": "2026-05-14T08:09:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21789-1",
"initial_release_date": "2026-05-14T08:09:11Z",
"revision_history": [
{
"date": "2026-05-14T08:09:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"product": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"product_id": "libtree-sitter0_26-0.26.8-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"product": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"product_id": "tree-sitter-devel-0.26.8-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"product": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"product_id": "libtree-sitter0_26-0.26.8-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"product": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"product_id": "tree-sitter-devel-0.26.8-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"product": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"product_id": "libtree-sitter0_26-0.26.8-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "tree-sitter-devel-0.26.8-160000.1.1.s390x",
"product": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.s390x",
"product_id": "tree-sitter-devel-0.26.8-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"product": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"product_id": "libtree-sitter0_26-0.26.8-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"product": {
"name": "libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"product_id": "libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"product": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"product_id": "tree-sitter-devel-0.26.8-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64"
},
"product_reference": "libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-0.26.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64"
},
"product_reference": "libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64"
},
"product_reference": "libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tree-sitter-devel-0.26.8-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
},
"product_reference": "tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34941",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34941"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly\u0027s linear memory in an attempt to transcode nonexistent bytes. In Wasmtime\u0027s default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond the end of linear memory may be read and interpreted as UTF-16. A host segfault is a denial-of-service vulnerability in Wasmtime, and possibly being able to read beyond the end of linear memory is additionally a vulnerability. Note that reading beyond the end of linear memory requires nonstandard configuration of Wasmtime, specifically with guard pages disabled. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34941",
"url": "https://www.suse.com/security/cve/CVE-2026-34941"
},
{
"category": "external",
"summary": "SUSE Bug 1261869 for CVE-2026-34941",
"url": "https://bugzilla.suse.com/1261869"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-34941"
},
{
"cve": "CVE-2026-34942",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34942"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime\u0027s implementation of transcoding strings into the Component Model\u0027s utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34942",
"url": "https://www.suse.com/security/cve/CVE-2026-34942"
},
{
"category": "external",
"summary": "SUSE Bug 1261891 for CVE-2026-34942",
"url": "https://bugzilla.suse.com/1261891"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "important"
}
],
"title": "CVE-2026-34942"
},
{
"cve": "CVE-2026-34943",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34943"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime\u0027s implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34943",
"url": "https://www.suse.com/security/cve/CVE-2026-34943"
},
{
"category": "external",
"summary": "SUSE Bug 1261951 for CVE-2026-34943",
"url": "https://bugzilla.suse.com/1261951"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-34943"
},
{
"cve": "CVE-2026-34944",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34944"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime\u0027s compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it\u0027s possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34944",
"url": "https://www.suse.com/security/cve/CVE-2026-34944"
},
{
"category": "external",
"summary": "SUSE Bug 1261961 for CVE-2026-34944",
"url": "https://bugzilla.suse.com/1261961"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-34944"
},
{
"cve": "CVE-2026-34945",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34945"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime\u0027s Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host\u0027s stack to WebAssembly guests. The host\u0027s stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table\u0027s index type to see how large the returned register could be. When combined with details about Wnich\u0027s ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34945",
"url": "https://www.suse.com/security/cve/CVE-2026-34945"
},
{
"category": "external",
"summary": "SUSE Bug 1262005 for CVE-2026-34945",
"url": "https://bugzilla.suse.com/1262005"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-34945"
},
{
"cve": "CVE-2026-34946",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34946"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime\u0027s Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34946",
"url": "https://www.suse.com/security/cve/CVE-2026-34946"
},
{
"category": "external",
"summary": "SUSE Bug 1261973 for CVE-2026-34946",
"url": "https://bugzilla.suse.com/1261973"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-34946"
},
{
"cve": "CVE-2026-34987",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34987"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34987",
"url": "https://www.suse.com/security/cve/CVE-2026-34987"
},
{
"category": "external",
"summary": "SUSE Bug 1262030 for CVE-2026-34987",
"url": "https://bugzilla.suse.com/1262030"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "important"
}
],
"title": "CVE-2026-34987"
},
{
"cve": "CVE-2026-34988",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34988"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime\u0027s implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the pooling allocator incorrectly deduced at runtime that resetting virtual memory permissions was not necessary while compile-time determine that virtual memory could be relied upon. The pooling allocator must be in use, Config::memory_guard_size configuration option must be 0, Config::memory_reservation configuration must be less than 4GiB, and pooling allocator must be configured with max_memory_size the same as the memory_reservation value in order to exploit this vulnerability. If all of these conditions are applicable then when a linear memory is reused the VM permissions of the previous iteration are not reset. This means that the compiled code, which is assuming out-of-bounds loads will segfault, will not actually segfault and can read the previous contents of linear memory if it was previously mapped. This represents a data leakage vulnerability between guest WebAssembly instances which breaks WebAssembly\u0027s semantics and additionally breaks the sandbox that Wasmtime provides. Wasmtime is not vulnerable to this issue with its default settings, nor with the default settings of the pooling allocator, but embeddings are still allowed to configure these values to cause this vulnerability. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34988",
"url": "https://www.suse.com/security/cve/CVE-2026-34988"
},
{
"category": "external",
"summary": "SUSE Bug 1261966 for CVE-2026-34988",
"url": "https://bugzilla.suse.com/1261966"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-34988"
},
{
"cve": "CVE-2026-35186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35186"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime\u0027s Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit value. This invalid internal representation of Winch\u0027s compiler state compounds into further issues depending on how the value is consumed. The primary consequence of this bug is that bytes in the host\u0027s address space can be stored/read from. This is only applicable to the 16 bytes before linear memory, however, as the only significant return value of table.grow that can be misinterpreted is -1. The bytes before linear memory are, by default, unmapped memory. Wasmtime will detect this fault and abort the process, however, because wasm should not be able to access these bytes. Overall this this bug in Winch represents a DoS vector by crashing the host process, a correctness issue within Winch, and a possible leak of up to 16-bytes before linear memory. Wasmtime\u0027s default compiler is Cranelift, not Winch, and Wasmtime\u0027s default settings are to place guard pages before linear memory. This means that Wasmtime\u0027s default configuration is not affected by this issue, and when explicitly choosing Winch Wasmtime\u0027s otherwise default configuration leads to a DoS. Disabling guard pages before linear memory is required to possibly leak up to 16-bytes of host data. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35186",
"url": "https://www.suse.com/security/cve/CVE-2026-35186"
},
{
"category": "external",
"summary": "SUSE Bug 1262034 for CVE-2026-35186",
"url": "https://bugzilla.suse.com/1262034"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-35186"
},
{
"cve": "CVE-2026-35195",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35195"
}
],
"notes": [
{
"category": "general",
"text": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime\u0027s implementation of transcoding strings between components contains a bug where the return value of a guest component\u0027s realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime\u0027s configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest\u0027s linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest\u0027s linear memory, such as host data structures or other guests\u0027s linear memories. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35195",
"url": "https://www.suse.com/security/cve/CVE-2026-35195"
},
{
"category": "external",
"summary": "SUSE Bug 1262038 for CVE-2026-35195",
"url": "https://bugzilla.suse.com/1262038"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:libtree-sitter0_26-x86-64-v3-0.26.8-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:tree-sitter-devel-0.26.8-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T08:09:11Z",
"details": "moderate"
}
],
"title": "CVE-2026-35195"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…