GHSA-P8XM-42R7-89XG

Vulnerability from github – Published: 2026-05-07 00:08 – Updated: 2026-05-14 20:49
VLAI
Summary
wasmtime has a panic when allocating a table exceeding the size of the host's address space
Details

Impact

Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component.

This bug does not affect the pooling allocator which limits tables sizes to much less than the required amount to trigger the overflow. This bug is only present for the on-demand instance allocator, which is Wasmtime's default allocator. This bug also requires the memory64 WebAssembly feature to be enabled, which is on-by-default.

Panicking in the host process is considered a denial-of-service vector for Wasmtime.

Patches

Wasmtime 36.0.8, 43.0.2, and 44.0.1 have all been released which fixes this issue.

Workarounds

Embeddings can switch to using the pooling allocator to work around this issue, or the memory64 WebAssembly proposal can be disabled. Otherwise there is no workaround and users are recommended to upgrade.

Severity
5.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "30.0.0"
            },
            {
              "fixed": "36.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "37.0.0"
            },
            {
              "fixed": "43.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:08:59Z",
    "nvd_published_at": "2026-05-14T15:16:47Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWasmtime\u0027s allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component.\n\nThis bug does not affect the pooling allocator which limits tables sizes to much less than the required amount to trigger the overflow. This bug is only present for the on-demand instance allocator, which is Wasmtime\u0027s default allocator. This bug also requires the `memory64` WebAssembly feature to be enabled, which is on-by-default.\n\nPanicking in the host process is considered a denial-of-service vector for Wasmtime.\n\n### Patches\n\nWasmtime 36.0.8, 43.0.2, and 44.0.1 have all been released which fixes this issue.\n\n### Workarounds\n\nEmbeddings can switch to using the pooling allocator to work around this issue, or the `memory64` WebAssembly proposal can be disabled. Otherwise there is no workaround and users are recommended to upgrade.",
  "id": "GHSA-p8xm-42r7-89xg",
  "modified": "2026-05-14T20:49:47Z",
  "published": "2026-05-07T00:08:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44216"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0114.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "wasmtime has a panic when allocating a table exceeding the size of the host\u0027s address space"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.