{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39934", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "state": "PUBLISHED", "assignerShortName": "wikimedia-foundation", "dateReserved": "2026-04-07T21:25:36.589Z", "datePublished": "2026-04-07T22:00:46.100Z", "dateUpdated": "2026-04-08T22:04:41.006Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2026-04-08T22:04:41.006Z"}, "title": "Growth Experiments ReassignMenteesJob runs as an infinite loop", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-835", "description": "CWE-835 Loop with unreachable exit condition ('infinite loop')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "affected": [{"vendor": "The Wikimedia Foundation", "product": "Mediawiki - GrowthExperiments Extension", "versions": [{"status": "affected", "version": "1.45"}, {"status": "affected", "version": "1.44"}, {"status": "affected", "version": "1.43"}, {"status": "affected", "version": "0", "lessThan": "1.43", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch."}]}], "references": [{"url": "https://phabricator.wikimedia.org/T418222"}, {"url": "https://gerrit.wikimedia.org/r/c/1243874"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"}}], "credits": [{"lang": "en", "value": "Urbanecm_WMF", "type": "finder"}, {"lang": "en", "value": "Michael", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:20:23.112186Z", "id": "CVE-2026-39934", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:20:39.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39934", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:20:23.112186Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:20:35.727Z"}}], "cna": {"title": "Growth Experiments ReassignMenteesJob runs as an infinite loop", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Urbanecm_WMF"}, {"lang": "en", "type": "finder", "value": "Michael"}], "impacts": [{"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Wikimedia Foundation", "product": "Mediawiki - GrowthExperiments Extension", "versions": [{"status": "affected", "version": "1.45"}, {"status": "affected", "version": "1.44"}, {"status": "affected", "version": "1.43"}, {"status": "affected", "version": "0", "lessThan": "1.43", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://phabricator.wikimedia.org/T418222"}, {"url": "https://gerrit.wikimedia.org/r/c/1243874"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch.", "supportingMedia": [{"type": "text/html", "value": "Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835 Loop with unreachable exit condition ('infinite loop')"}]}], "providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2026-04-08T22:04:41.006Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39934", "state": "PUBLISHED", "dateUpdated": "2026-04-08T22:04:41.006Z", "dateReserved": "2026-04-07T21:25:36.589Z", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "datePublished": "2026-04-07T22:00:46.100Z", "assignerShortName": "wikimedia-foundation"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue was remediated only on the `master` branch."}], "id": "CVE-2026-39934", "lastModified": "2026-04-08T23:16:58.717", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}, "published": "2026-04-07T22:16:24.137", "references": [{"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://gerrit.wikimedia.org/r/c/1243874"}, {"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://phabricator.wikimedia.org/T418222"}], "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.45.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.44.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.43.7"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 94.0, "source": "matching"}]}, "original": {"product": "Mediawiki - GrowthExperiments Extension", "source": "cna", "vendor": "The Wikimedia Foundation"}, "product": "mediawiki-growthexperiments_extension", "vendor": "wikimedia"}], "analysis": {"en": {"generated_at": "2026-04-08T23:27:00.322996+00:00", "value": {"mitigation_remediation": ["Upgrade the GrowthExperiments Extension to the most recent commit on the master branch that contains the infinite\u2011loop fix.", "If an upgrade is not immediately possible, remove or disable the GrowthExperiments feature until the patch is applied.", "Implement monitoring for prolonged worker processes and set timeouts or resource limits to prevent a single job from consuming excessive CPU or memory.", "Verify that the hosting environment has up\u2011to\u2011date security patches and that MediaWiki core is current to reduce overall attack surface."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is the GrowthExperiments Extension maintained by the Wikimedia Foundation for MediaWiki. No specific release numbers are listed; the issue is present in all branches prior to the fix that was implemented only on the master branch.", "description_and_impact": "The vulnerability is an infinite loop in the GrowthExperiments Extension of MediaWiki caused by an unreachable exit condition. The loop can run indefinitely, consuming system resources until the job is manually terminated. This uncontrolled execution can also be leveraged through Time\u2011of\u2011Check to Time\u2011of\u2011Use race conditions, allowing an adversary to exploit timing gaps during job processing. Such behavior can interrupt normal operation and potentially expose application state changes to unintended consumers.", "risk_and_exploitability": "The vulnerability scores a CVSS of 6.9, indicating moderate severity, and has an EPSS below 1%, meaning that exploitation probability is very low. It is not included in the CISA KEV catalog. The likely attack vector is through any user who can initiate the GrowthExperiments job via the MediaWiki interface or API, allowing the attacker to induce an infinite loop and possibly trigger timing-based side effects. While the theoretical impact could be service disruption or denial of service, real\u2011world exploitation would require the attacker to trigger the job and observe its effects, which is a low\u2011to\u2011moderate risk scenario for typical deployments."}}}}, "created": "2026-04-08T19:45:23.598600+00:00", "updated": "2026-04-09T08:28:37.915478+00:00", "vendors": ["wikimedia", "wikimedia$PRODUCT$mediawiki-growthexperiments_extension"]}