Bytecodealliance Wasmtime vulnerabilities
42 known vulnerabilities affecting bytecodealliance/wasmtime.
Total CVEs
42
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
CRITICAL5HIGH16MEDIUM16LOW5
Vulnerabilities
Page 2 of 3
CVE-2022-39392P3HIGHCVSS 7.4fixed in 1.0.2≥ 2.0.0, < 2.0.2+1 more2022-11-10
CVE-2022-39392 [HIGH] CWE-119 CVE-2022-39392: Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories did not meet the compiler-re
ghsanvdosv
CVE-2026-44216P3HIGHCVSS 7.5≥ 30.0.0, < 36.0.8≥ 37.0.0, < 43.0.2+3 more2026-05-14
CVE-2026-44216 [HIGH] CWE-770 CVE-2026-44216: Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocat
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 propo
ghsanvd
CVE-2026-34945P3MEDIUMCVSS 6.5≥ 25.0.0, < 36.0.7≥ 37.0.0, < 42.0.2+4 more2026-04-09
CVE-2026-34945 [MEDIUM] CWE-681 CVE-2026-34945: Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can
ghsanvdosv
CVE-2026-34988P3MEDIUMCVSS 6.3≥ 28.0.0, < 36.0.7≥ 37.0.0, < 42.0.2+4 more2026-04-09
CVE-2026-34988 [MEDIUM] CWE-119 CVE-2026-34988: Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the
ghsanvdosv
CVE-2026-27204P3MEDIUMCVSS 6.5fixed in 24.0.6≥ 25.0.0, < 36.0.6+5 more2026-02-24
CVE-2026-27204 [MEDIUM] CWE-400 CVE-2026-27204: Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0,
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vec
ghsanvdosv
CVE-2026-34942P3MEDIUMCVSS 6.5fixed in 24.0.7≥ 25.0.0, < 36.0.7+5 more2026-04-09
CVE-2026-34942 [MEDIUM] CWE-129 CVE-2026-34942: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's imple
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a
ghsanvdosv
CVE-2026-35195P3MEDIUMCVSS 5.4fixed in 24.0.7≥ 25.0.0, < 36.0.7+5 more2026-04-09
CVE-2026-35195 [MEDIUM] CWE-787 CVE-2026-35195: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's imple
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary
ghsanvdosv
CVE-2022-31104P4MEDIUMCVSS 5.6fixed in 0.38.1v wasmtime: < 0.38.1+1 more2022-06-28
CVE-2022-31104 [MEDIUM] CWE-682 CVE-2022-31104: Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of
Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs were presented in the `i8x16.swizzle` and `select`
ghsanvdosv
CVE-2021-39218P4MEDIUMCVSS 6.3≥ 0.26.0, < 0.30.0v>= 0.26.0, <= 0.29.02021-09-17
CVE-2021-39218 [MEDIUM] CWE-125 CVE-2021-39218: Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and befor
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger this bug, Wasmtime needs to be running Wasm that uses `
ghsanvd
CVE-2021-39219P4MEDIUMCVSS 6.3fixed in 0.30.0≤ 0.29.02021-09-17
CVE-2021-39219 [MEDIUM] CWE-843 CVE-2021-39219: Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affecte
Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use `unsafe` then it should not be possible to have memory unsafety issues
ghsanvd
CVE-2021-39216P4MEDIUMCVSS 6.3≥ 0.19.0, < 0.30.0v>=0.19.0, <=0.29.02021-09-17
CVE-2021-39216 [MEDIUM] CWE-416 CVE-2021-39216: Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and befor
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing m
ghsanvdosv
CVE-2023-41880P4MEDIUMCVSS 5.3≥ 10.0.0, < 10.0.2≥ 11.0.0, < 11.0.2+4 more2023-09-15
CVE-2023-41880 [MEDIUM] CWE-193 CVE-2023-41880: Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 1
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The mi
ghsanvdosv
CVE-2026-34944P4MEDIUMCVSS 5.7fixed in 24.0.7≥ 25.0.0, < 36.0.7+5 more2026-04-09
CVE-2026-34944 [MEDIUM] CWE-248 CVE-2026-34944: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platfo
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped
ghsanvdosv
CVE-2026-24116P4MEDIUMCVSS 5.5≥ 29.0.0, < 36.0.5≥ 40.0.0, < 40.0.3+4 more2026-01-27
CVE-2026-24116 [MEDIUM] CWE-125 CVE-2026-24116: Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due
ghsanvdosv
CVE-2024-30266P4MEDIUMCVSS 5.5v19.0.0v= 19.0.02024-04-04
CVE-2024-30266 [MEDIUM] CWE-843 CVE-2024-30266: wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduc
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.
ghsanvdosv
CVE-2023-27477P4MEDIUMCVSS 4.3≥ 0.37.0, < 4.0.1v5.0.0+7 more2023-03-08
CVE-2023-27477 [MEDIUM] CWE-193 CVE-2023-27477: wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift
wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error
ghsanvdosv
CVE-2026-34983P4MEDIUMCVSS 5.0v43.0.0v>= 43.0.0, < 43.0.12026-04-09
CVE-2026-34983 [MEDIUM] CWE-416 CVE-2026-34983: Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can resu
Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::L
ghsanvdosv
CVE-2025-53901P4LOWCVSS 3.5fixed in 24.0.4≥ 33.0.0, < 33.0.2+3 more2025-07-18
CVE-2025-53901 [LOW] CWE-672 CVE-2025-53901: Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmti
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a
ghsanvdosv
CVE-2025-62711P4LOWCVSS 3.1≥ 38.0.0, < 38.0.3v>= 38.0.0, < 38.0.32025-10-24
CVE-2025-62711 [LOW] CWE-755 CVE-2025-62711: Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been relea
ghsanvdosv
CVE-2025-61670P4LOWCVSS 3.3v37.0.0v37.0.1+1 more2025-10-07
CVE-2025-61670 [LOW] CWE-772 CVE-2025-61670: Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API
Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the `anyref` or `externref` WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If `anyref` or `externref` is not used in the C/C++ API
nvd