CVE-2026-44216
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| bytecodealliance | wasmtime | >= 30.0.0, < 36.0.8 | affected |
| bytecodealliance | wasmtime | >= 37.0.0, < 43.0.2 | affected |
| bytecodealliance | wasmtime | 44.0.0 | affected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation
Additional References
- https://access.redhat.com/security/cve/CVE-2026-44216
- https://bugzilla.redhat.com/show_bug.cgi?id=2477467
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44216.json
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.