CVE-2026-44216
published 2026-05-14CVE-2026-44216: Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.32%
23.6th percentile
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 30.0.0 < 36.0.8 | 36.0.8 |
| bytecodealliance | wasmtime | >= 30.0.0 < 36.0.8 | 36.0.8 |
| bytecodealliance | wasmtime | >= 37.0.0 < 43.0.2 | 43.0.2 |
| bytecodealliance | wasmtime | >= 37.0.0 < 43.0.2 | 43.0.2 |
| rust-lang | rust | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
bytecodealliance wasmtime up to 36.0.7/43.0.1/44.0.0 WebAssembly allocation of resources
vuldb·2026-05-14·CVSS 5.9
CVE-2026-44216 [MEDIUM] bytecodealliance wasmtime up to 36.0.7/43.0.1/44.0.0 WebAssembly allocation of resources
A vulnerability was found in bytecodealliance wasmtime up to 36.0.7/43.0.1/44.0.0. It has been rated as problematic. This issue affects some unknown processing of the component WebAssembly Module. This manipulation causes allocation of resources.
This vulnerability is registered as CVE-2026-44216. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is advised.
GHSA
wasmtime has a panic when allocating a table exceeding the size of the host's address space
ghsa·2026-05-07
CVE-2026-44216 [MEDIUM] CWE-770 wasmtime has a panic when allocating a table exceeding the size of the host's address space
wasmtime has a panic when allocating a table exceeding the size of the host's address space
### Impact
Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component.
This bug does not affect the pooling allocator which limits tables sizes to much less than the required amount to trigger the overflow. This bug is only present for the on-demand
Red Hat
wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation
vendor_redhat·2026-05-14·CVSS 5.9
CVE-2026-44216 [MEDIUM] CWE-190 wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation
wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
A flaw was found in Wasmtime, a runtime for WebAssembly. A remote
No detection rules found.
No public exploits indexed.
2026-05-14
Published