CVE-2026-34943
published 2026-04-09CVE-2026-34943: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.32%
24.1th percentile
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.6MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing
vendor_redhat·2026-04-09·CVSS 5.6
CVE-2026-34943 [MEDIUM] CWE-1287 Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing
Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing
A flaw was found in Wasmtime, a runtime for WebAssembly. A malicious guest can exploit an issue where a flags-typed component model value, containing unexpected bit settings, causes the host system to panic during processing. This vulnerability can lead to a Denial of Service (DoS), rendering the host system unresponsive.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: redhat-user-workloads/rhcl-1-3-wasm-shim (Red Hat Connectivity Link 1) - Fix deferred
Package: virt-firmware-rs (Red
OSV
Wasmtime has a possible panic when lifting `flags` component value
osv·2026-04-09
CVE-2026-34943 [MEDIUM] Wasmtime has a possible panic when lifting `flags` component value
Wasmtime has a possible panic when lifting `flags` component value
### Impact
Wasmtime contains a possible panic which can happen when a `flags`-typed component model value is lifted with the `Val` type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into `Val`, not when using the `flags!` macro. This additionally only affects `flags`-typed values which are part of a WIT interface.
This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector.
### Patches
Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these
GHSA
Wasmtime has a possible panic when lifting `flags` component value
ghsa·2026-04-09
CVE-2026-34943 [MEDIUM] CWE-248 Wasmtime has a possible panic when lifting `flags` component value
Wasmtime has a possible panic when lifting `flags` component value
### Impact
Wasmtime contains a possible panic which can happen when a `flags`-typed component model value is lifted with the `Val` type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into `Val`, not when using the `flags!` macro. This additionally only affects `flags`-typed values which are part of a WIT interface.
This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector.
### Patches
Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these
VulDB
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 WIT Interface uncaught exception (GHSA-m758-wjhj-p3jq)
vuldb·2026-04-09·CVSS 5.6
CVE-2026-34943 [MEDIUM] bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 WIT Interface uncaught exception (GHSA-m758-wjhj-p3jq)
A vulnerability, which was classified as problematic, has been found in bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0. Affected by this issue is some unknown functionality of the component WIT Interface. This manipulation causes uncaught exception.
This vulnerability is registered as CVE-2026-34943. Remote exploitation of the attack is possible. No exploit is available.
It is advisable to upgrade the affected component.
OSV
Panic when lifting `flags` component value
osv·2026-04-09
CVE-2026-34943 Panic when lifting `flags` component value
Panic when lifting `flags` component value
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq
For more information see the GitHub-hosted security advisory.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-34943 tree-sitter: Wasmtime: Denial of Service due to malformed flags-typed component model value processing [fedora-all]
bugzilla·2026-04-09·CVSS 5.6
CVE-2026-34943 [MEDIUM] CVE-2026-34943 tree-sitter: Wasmtime: Denial of Service due to malformed flags-typed component model value processing [fedora-all]
CVE-2026-34943 tree-sitter: Wasmtime: Denial of Service due to malformed flags-typed component model value processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-34943 Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing
bugzilla·2026-04-09·CVSS 5.6
CVE-2026-34943 [MEDIUM] CVE-2026-34943 Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing
CVE-2026-34943 Wasmtime: Wasmtime: Denial of Service due to malformed flags-typed component model value processing
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is f
Wiz
CVE-2026-34943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.6
CVE-2026-34943 [MEDIUM] CVE-2026-34943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34943 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Source
2026-04-09
Published