CVE-2026-34943Uncaught Exception in Wasmtime

CWE-248Uncaught ExceptionCWE-1287Improper Validation of Specified Type of Input9 documents7 sources
Severity
5.6MEDIUMNVD
EPSS
0.0%
top 96.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bytecodealliance Wasmtime
Timeline
PublishedApr 9

Description

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5bytecodealliance/wasmtime< 24.0.7+3
crates.iobytecodealliance/wasmtime25.0.036.0.7+4

🔴Vulnerability Details

4
OSV
Wasmtime has a possible panic when lifting `flags` component value2026-04-09
GHSA
Wasmtime has a possible panic when lifting `flags` component value2026-04-09
VulDB
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 WIT Interface uncaught exception (GHSA-m758-wjhj-p3jq)2026-04-09
OSV
Panic when lifting `flags` component value2026-04-09

📋Vendor Advisories

1
Red Hat
Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing2026-04-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-34943 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-34943 tree-sitter: Wasmtime: Denial of Service due to malformed flags-typed component model value processing [fedora-all]2026-04-09
Bugzilla
CVE-2026-34943 Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing2026-04-09