Description
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Published: 2026-05-14
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wasmtime’s runtime allocates WebAssembly tables by performing arithmetic that can overflow when a module or component specifies an extremely large table size under the memory64 proposal. This overflow leads to a panic that abruptly terminates the runtime, causing a loss of service for any application that depends on Wasmtime. The crash does not expose code execution or data exfiltration vulnerabilities.

Affected Systems

The affected product is Wasmtime from Bytecode Alliance. Versions prior to 36.0.8, prior to 43.0.2, and prior to 44.0.1 contain the vulnerability. These include releases from 30.0.0 through 36.0.7, as well as 43.0.1 and earlier 44.0.0. The patched releases are 36.0.8, 43.0.2, and 44.0.1.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. No EPSS data is available, so the likelihood of exploitation is undefined. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is a crafted WebAssembly module or component that requests a table size beyond the 32‑bit limit enabled by the memory64 proposal; such a request would trigger the overflow and cause the runtime to panic, resulting in denial of service.

Generated by OpenCVE AI on May 14, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 36.0.8 or newer, including 43.0.2 and 44.0.1, which contain the fix.
  • If an upgrade is not immediately possible, configure the runtime to disable or restrict the memory64 proposal so that table sizes remain within the 32‑bit range.
  • Add boundary checks to module table size requests to prevent allocation of tables that approach the host address space limit.

Generated by OpenCVE AI on May 14, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p8xm-42r7-89xg wasmtime has a panic when allocating a table exceeding the size of the host's address space
History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Title Wasmtime: Panic when allocating a table exceeding the size of the host's address space
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T14:54:32.975Z

Reserved: 2026-05-05T15:13:47.572Z

Link: CVE-2026-44216

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-14T15:16:47.793

Modified: 2026-05-14T18:17:11.253

Link: CVE-2026-44216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:00:15Z

Weaknesses