The wcsstr implementation in glibc is a naive O(mn) implementation, which allows denial of service with untrusted inputs. A smarter O(m+n) implementation should be used, as with strstr.
Flagging security- until there is demonstrated application impact.
Fixed on 2.40.