Debian Rust-Wasmtime vulnerabilities

CVE-2026-24116 [MEDIUM] CVE-2026-24116: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to v... Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loadin

CVE-2026-27204 [MEDIUM] CVE-2026-27204: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04,... Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasm

CVE-2026-27572 [MEDIUM] CVE-2026-27572: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04,... Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it re

CVE-2026-27195 [MEDIUM] CVE-2026-27195: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `compo... Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First,

CVE-2025-53901 [LOW] CVE-2025-53901: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.... Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second a

CVE-2025-62711 [LOW] CVE-2025-62711: rust-wasmtime - Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3,... Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and

CVE-2025-61670 [LOW] CVE-2025-61670: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory le... Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the `anyref` or `externref` WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If `anyref` or `externref` is not used in the C/C++ API then emb

CVE-2025-64345 [LOW] CVE-2025-64345: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, ... Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could b

CVE-2024-47763 [MEDIUM] CVE-2024-47763: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of... Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compi

CVE-2024-51745 [LOW] CVE-2024-51745: rust-wasmtime - Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem san... Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm

CVE-2024-30266 [LOW] CVE-2024-30266: rust-wasmtime - wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a... wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1. Scope: local forky: reso

CVE-2024-47813 [LOW] CVE-2024-47813: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Under certain concurrent eve... Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurren

CVE-2023-41880 [LOW] CVE-2023-41880: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 ... Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation

CVE-2023-26489 [CRITICAL] CVE-2023-26489: rust-wasmtime - wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasm... wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective address. This bug means that, with default codegen settings, a wasm-controlled lo

CVE-2023-27477 [LOW] CVE-2023-27477: rust-wasmtime - wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generatio... wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calc

CVE-2023-30624 [LOW] CVE-2023-30624: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1... Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for cor

CVE-2022-31169 [MEDIUM] CVE-2022-31169: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's c... Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. This issue only affects the AArch64 platform. Other platforms are not affected.

CVE-2022-31104 [MEDIUM] CVE-2022-31104: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime'... Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs were presented in the `i8x16.swizzle` and `select` WebAssem

CVE-2022-39392 [MEDIUM] CVE-2022-39392: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there ... Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories did not meet the compiler-required

CVE-2022-31146 [MEDIUM] CVE-2022-31146: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime... Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd v