Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-14T14:54:32 wasmtime: Wasmtime: Denial of Service via large WebAssembly table allocation 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-190

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.

A flaw was found in Wasmtime, a runtime for WebAssembly. A remote attacker could exploit an arithmetic overflow vulnerability by instantiating a WebAssembly module or component that attempts to allocate an extremely large table using the WebAssembly memory64 proposal. This flaw causes Wasmtime to panic, resulting in a Denial of Service (DoS) for the affected system.

Red Hat Enterprise Linux 10 Not affected virt-firmware-rs Red Hat Hardened Images Affected rust https://www.cve.org/CVERecord?id=CVE-2026-44216 https://nvd.nist.gov/vuln/detail/CVE-2026-44216 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg