Platform
php
Component
growthexperiments
Fixed in
1.43
1.44.1
1.43.1
1.43
CVE-2026-39934 describes a Time-of-Check and Time-of-Use (TOCTOU) race condition vulnerability found within the GrowthExperiments Extension for MediaWiki. This flaw could potentially allow an attacker to exploit timing differences to achieve unintended consequences, possibly leading to a denial of service. The vulnerability impacts versions of the GrowthExperiments Extension ranging from 0.0.0 through 1.45, but a fix has been implemented in version 1.43.
CVE-2026-39934 in the MediaWiki GrowthExperiments extension presents a risk due to an infinite loop condition, leading to a TOCTOU (Time-of-Check and Time-of-Use) race condition. This could allow an attacker to manipulate the system's state between the time a condition is checked and the time it is used, potentially leading to unexpected behavior or even malicious code execution. The severity of this issue depends on the specific configuration of the extension and the attacker's permissions. While the fix was implemented in the master branch, older versions of the GrowthExperiments extension remain vulnerable. The lack of a patch in older versions necessitates an immediate update to mitigate the risk.
Exploiting this vulnerability requires a deep understanding of the internal workings of the GrowthExperiments extension and the ability to create a race condition. An attacker might attempt to manipulate data or the system's state between the time a condition is checked and the time it is used, leveraging the TOCTOU race condition. The complexity of exploitation varies depending on the specific MediaWiki and GrowthExperiments extension configuration. The fix in the master branch indicates that developers have identified and addressed the issue, but older versions remain at risk.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-39934 is to update the GrowthExperiments extension to the latest available version (1.43 or higher). This version includes the fix for the infinite loop and the TOCTOU race condition. If updating is not immediately possible, it is recommended to closely monitor the system for suspicious activity. Additionally, consider reviewing and strengthening access control policies to limit user permissions, reducing the potential impact of a successful exploitation. Thorough testing after the update is crucial to ensure system stability and proper implementation of the fix.
Update the GrowthExperiments extension to version 1.43 or higher to mitigate the infinite loop vulnerability. This update corrects a TOCTOU race condition that can cause excessive resource consumption. Refer to the MediaWiki documentation for specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
TOCTOU (Time-of-Check and Time-of-Use) is a type of race condition vulnerability where the state of a system changes between the time a condition is checked and the time that result of that check is used.
It allows an attacker to potentially manipulate the system's state, which could lead to unexpected behavior or even malicious code execution.
Closely monitor the system for suspicious activity and review access control policies.
The fix is available in the master branch and version 1.43. Older versions are vulnerable.
You can find more information in vulnerability databases such as the National Vulnerability Database (NVD) or on the Wikimedia Foundation website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.