CVE-2026-44216

UNKNOWN 0.0

Wasmtime: Panic when allocating a table exceeding the size of the host's address space

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.

CWE	CWE-770
Vendor	bytecodealliance
Product	wasmtime
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for bytecodealliance wasmtime

Be the first to know when new unknown vulnerabilities affecting bytecodealliance wasmtime are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

bytecodealliance / wasmtime

>= 30.0.0, < 36.0.8 >= 37.0.0, < 43.0.2 44.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg