Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service resulting from host crash
Action: Immediate Patch
AI Analysis

Impact

Wasmtime converts WebAssembly component values into internal Val objects. In releases before 24.0.7, 36.0.7, 42.0.2 and 43.0.1, an attempt to lift a flags‑typed component value that contains bits outside the allowed flag set triggers a panic during the lift process. The panic causes the host runtime to crash, which can be induced by a guest WebAssembly module that supplies a crafted flags value. This failure mode is an unhandled panic, not a silent error, and therefore the host terminates execution, resulting in a denial of service for any service running the affected Wasmtime instance.

Affected Systems

The vulnerability affects the Wasmtime runtime from Bytecode Alliance. All releases earlier than 24.0.7 on the 24.x line, earlier than 36.0.7 on the 36.x line, earlier than 42.0.2 on the 42.x line, and earlier than 43.0.1 on the 43.x line are susceptible. Organizations that embed Wasmtime in their applications or infrastructure must verify which version they are using and ensure it is later than the noted patches.

Risk and Exploitability

The CVSS score of 5.6 classifies this issue as medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no known widespread exploitation yet. Nevertheless, the flaw can be triggered by any untrusted WebAssembly module supplying a malicious flags‑typed component value, implying that an attacker who controls guest code can induce a host crash. The risk to environments exposed to untrusted code is therefore significant, even though the exploit difficulty and potential for widespread impact are moderate. Updating to a patched release removes this risk.

Generated by OpenCVE AI on April 10, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to at least version 24.0.7, 36.0.7, 42.0.2, or 43.0.1, depending on the release line in use.

Generated by OpenCVE AI on April 10, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m758-wjhj-p3jq Wasmtime has a possible panic when lifting `flags` component value
History

Mon, 20 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L'}

threat_severity

Moderate

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime panics when lifting `flags` component value
Weaknesses CWE-248
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:15:23.994Z

Reserved: 2026-03-31T17:27:08.660Z

Link: CVE-2026-34943

cve-icon Vulnrichment

Updated: 2026-04-13T20:15:19.863Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:24.020

Modified: 2026-04-20T18:28:03.000

Link: CVE-2026-34943

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:36:51Z

Links: CVE-2026-34943 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:42Z

Weaknesses