CVE-2026-44216

EUVD-2026-30304

14.05.2026, 15:16

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
bytecodealliance	wasmtime	30.0.0 ≤ 𝑥 < 36.0.8
bytecodealliance	wasmtime	37.0.0 ≤ 𝑥 < 43.0.2
bytecodealliance	wasmtime	44.0.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rust-wasmtime

forky	36.0.11+dfsg-1 fixed
sid	36.0.12+dfsg-2 fixed
trixie	vulnerable

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg