cbcvebase.

Bytecodealliance Wasmtime vulnerabilities

42 known vulnerabilities affecting bytecodealliance/wasmtime.

Total CVEs
42
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
CRITICAL5HIGH16MEDIUM16LOW5

Vulnerabilities

Page 1 of 3
CVE-2024-51745P2CRITICALCVSS 10.0fixed in 24.0.2v25.0.0+5 more2024-11-05
CVE-2024-51745 [CRITICAL] CWE-67 CVE-2024-51745: Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Un
ghsanvdosv
CVE-2026-34987P2CRITICALCVSS 9.9≥ 25.0.0, < 36.0.7≥ 37.0.0, < 42.0.2+4 more2026-04-09
CVE-2026-34987 [CRITICAL] CWE-125 CVE-2026-34987: Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime wi Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime
ghsanvdosv
CVE-2024-47763P4MEDIUMCVSS 5.5Exploitedv21.0.0v21.0.1+12 more2024-10-09
CVE-2024-47763 [MEDIUM] CWE-670 CVE-2024-47763: Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail ca Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime
ghsanvdosv
CVE-2023-26489P3CRITICALCVSS 9.9≥ 0.37.0, < 4.0.1v5.0.0+7 more2023-03-08
CVE-2023-26489 [CRITICAL] CWE-125 CVE-2023-26489: wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generato wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective address. This bug means that, with default codegen settings, a wasm-cont
ghsanvdosv
CVE-2023-30624P3HIGHCVSS 8.8fixed in 6.0.2v7.0.0+3 more2023-04-27
CVE-2023-30624 [HIGH] CWE-758 CVE-2023-30624: Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtim Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critic
ghsanvdosv
CVE-2022-24791P3CRITICALCVSS 9.8≥ 0.34.0, < 0.34.2≥ 0.35.0, < 0.35.2+2 more2022-03-31
CVE-2022-24791 [CRITICAL] CWE-416 CVE-2022-24791: Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after fr Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly
ghsanvdosv
CVE-2022-31146P3HIGHCVSS 8.8≥ 0.37.0, < 0.38.2v>= 0.37.0, < 0.38.2+1 more2022-07-21
CVE-2022-31146 [HIGH] CWE-416 CVE-2022-31146: Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, C Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to
ghsanvdosv
CVE-2026-47261P3HIGHCVSS 7.5v>= 37.0.0, < 44.0.2v>= 25.0.0, < 36.0.10+1 more2026-06-15
CVE-2026-47261 [HIGH] CWE-284 CVE-2026-47261: Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a file Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE ofla
nvd
CVE-2022-39394P3CRITICALCVSS 9.8fixed in 1.0.2≥ 2.0.0, < 2.0.2+1 more2022-11-10
CVE-2022-39394 [CRITICAL] CWE-787 CVE-2022-39394: Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer p
ghsanvdosv
CVE-2026-34941P3HIGHCVSS 8.1fixed in 24.0.7≥ 25.0.0, < 36.0.7+5 more2026-04-09
CVE-2026-34941 [HIGH] CWE-125 CVE-2026-34941: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contain Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked in
ghsanvdosv
CVE-2026-34971P3HIGHCVSS 7.8≥ 32.0.0, < 36.0.7≥ 37.0.0, < 42.0.2+4 more2026-04-09
CVE-2026-34971 [HIGH] CWE-125 CVE-2026-34971: Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation wher
ghsanvdosv
CVE-2022-39393P3HIGHCVSS 8.6fixed in 1.0.2≥ 2.0.0, < 2.0.2+1 more2022-11-10
CVE-2022-39393 [HIGH] CWE-226 CVE-2022-39393: Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users
ghsanvdosv
CVE-2021-32629P3HIGHCVSS 8.8≤ 0.73.02021-05-24
CVE-2021-32629 [HIGH] CWE-788 CVE-2021-32629: Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-i Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new bac
ghsanvdosv
CVE-2022-23636P3HIGHCVSS 8.1fixed in 0.33.1v0.34.0+2 more2022-02-16
CVE-2022-23636 [HIGH] CWE-824 CVE-2022-23636: Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, ther Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an `externref` global will result in an invalid drop of a `VMExternRef` via an uninitialized pointer. A number of
ghsanvdosv
CVE-2022-31169P3HIGHCVSS 7.5fixed in 0.38.1fixed in 0.38.2+1 more2022-07-22
CVE-2022-31169 [HIGH] CWE-682 CVE-2022-31169: Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Crane Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. This issue only affects the AArch64 platform. Other platforms are not aff
ghsanvd
CVE-2026-27572P3HIGHCVSS 7.5fixed in 24.0.6≥ 25.0.0, < 36.0.6+5 more2026-02-24
CVE-2026-27572 [HIGH] CWE-770 CVE-2026-27572: Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics whe
ghsanvdosv
CVE-2026-27195P3HIGHCVSS 7.5≥ 39.0.0, < 40.0.4≥ 41.0.0, < 41.0.4+2 more2026-02-24
CVE-2026-27195 [HIGH] CWE-755 CVE-2026-27195: Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` fe Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances:
ghsanvdosv
CVE-2026-34946P3HIGHCVSS 7.5≥ 25.0.0, < 36.0.7≥ 37.0.0, < 42.0.2+4 more2026-04-09
CVE-2026-34946 [HIGH] CWE-670 CVE-2026-34946: Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-o
ghsanvdosv
CVE-2026-34943P3HIGHCVSS 7.5fixed in 24.0.7≥ 25.0.0, < 36.0.7+5 more2026-04-09
CVE-2026-34943 [HIGH] CWE-248 CVE-2026-34943: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contain Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value
ghsanvdosv
CVE-2026-35186P3HIGHCVSS 7.5≥ 25.0.0, < 36.0.7≥ 37.0.0, < 42.0.2+4 more2026-04-09
CVE-2026-35186 [HIGH] CWE-789 CVE-2026-35186: Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit
ghsanvdosv
Bytecodealliance Wasmtime vulnerabilities | cvebase