CVE-2026-44216

Wasmtime: Panic when allocating a table exceeding the size of the host's address space

Assigner: GitHub_M
Reserved: 05.05.2026 Published: 14.05.2026 Updated: 14.05.2026

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 5.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	bytecodealliance
Product	wasmtime
Versions	Version >= 30.0.0, < 36.0.8 is affected Version >= 37.0.0, < 43.0.2 is affected Version 44.0.0 is affected

Vendor

bytecodealliance

Product

wasmtime

Versions

Version >= 30.0.0, < 36.0.8 is affected
Version >= 37.0.0, < 43.0.2 is affected
Version 44.0.0 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-44216 PUBLISHED

Wasmtime: Panic when allocating a table exceeding the size of the host's address space

Metrics

Product Status

References

Problem Types