{ "threat_severity" : "Important", "public_date" : "2026-05-14T14:54:32Z", "bugzilla" : { "description" : "wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation", "id" : "2477467", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477467" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-190", "details" : [ "Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.", "A flaw was found in Wasmtime, a runtime for WebAssembly. A remote attacker could exploit an arithmetic overflow vulnerability by instantiating a WebAssembly module or component that attempts to allocate an extremely large table using the WebAssembly memory64 proposal. This flaw causes Wasmtime to panic, resulting in a Denial of Service (DoS) for the affected system." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "virt-firmware-rs", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "rust", "cpe" : "cpe:/a:redhat:hummingbird:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-44216\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44216\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg" ], "name" : "CVE-2026-44216", "csaw" : false }