VYPR
High severity7.5GHSA Advisory· Published May 14, 2026· Updated May 18, 2026

CVE-2026-44216

CVE-2026-44216

Description

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wasmtimecrates.io
>= 30.0.0, < 36.0.836.0.8
wasmtimecrates.io
>= 37.0.0, < 43.0.243.0.2

Affected products

11

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.