Description
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Published: 2026-05-14
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wasmtime’s runtime allocates WebAssembly tables by performing arithmetic that can overflow when a module or component specifies an extremely large table size under the memory64 proposal. This overflow triggers a panic that aborts the runtime, abruptly terminating any service that depends on Wasmtime. The flaw does not provide an attacker with code execution or data exfiltration capabilities, but it can be used to cause a denial‑of‑service condition.

Affected Systems

The vulnerable product is the Wasmtime runtime from Bytecode Alliance. Versions from 30.0.0 through 36.0.7, as well as 43.0.0 through 43.0.1 and 44.0.0, contain the unchecked arithmetic that can overflow. The fix is delivered in releases 36.0.8, 43.0.2, and 44.0.1, which handle table allocation safely.

Risk and Exploitability

The CVSS score of 5.9 classifies the issue as moderate severity. EPSS is reported as less than 1 %, indicating a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted WebAssembly module or component that requests a table size larger than the 32‑bit limit enabled by the memory64 extension; such a request would cause the overflow and a runtime panic, leading to service interruption.

Generated by OpenCVE AI on May 16, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 36.0.8 or newer, including 43.0.2 and 44.0.1, which contain the fix.
  • If an upgrade is not immediately possible, configure the runtime to disable or restrict the memory64 proposal so that table sizes remain within the 32‑bit range.
  • Add boundary checks to module table size requests to prevent allocation of tables that approach the host address space limit.

Generated by OpenCVE AI on May 16, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p8xm-42r7-89xg wasmtime has a panic when allocating a table exceeding the size of the host's address space
History

Mon, 18 May 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
cpe:2.3:a:bytecodealliance:wasmtime:44.0.0:*:*:*:*:rust:*:*

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Fri, 15 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Title Wasmtime: Panic when allocating a table exceeding the size of the host's address space
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T19:09:21.141Z

Reserved: 2026-05-05T15:13:47.572Z

Link: CVE-2026-44216

cve-icon Vulnrichment

Updated: 2026-05-15T19:08:40.371Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T15:16:47.793

Modified: 2026-05-18T13:36:34.053

Link: CVE-2026-44216

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T14:54:32Z

Links: CVE-2026-44216 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T02:00:12Z

Weaknesses