CVE-2026-44216
Description
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wasmtimecrates.io | >= 30.0.0, < 36.0.8 | 36.0.8 |
wasmtimecrates.io | >= 37.0.0, < 43.0.2 | 43.0.2 |
Affected products
11>= 37.0.0, < 43.0.2+ 2 more
- (no CPE)range: >= 37.0.0, < 43.0.2
- cpe:2.3:a:bytecodealliance:wasmtime:44.0.0:*:*:*:*:rust:*:*
- cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*range: >=30.0.0,<36.0.8
- osv-coords8 versionspkg:apk/chainguard/wizerpkg:apk/chainguard/yara-xpkg:apk/wolfi/wizerpkg:apk/wolfi/yara-xpkg:cargo/wasmtimepkg:rpm/opensuse/tree-sitter&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tree-sitter&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/tree-sitter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 11.0.3-r12+ 7 more
- (no CPE)range: < 11.0.3-r12
- (no CPE)range: < 1.16.0-r1
- (no CPE)range: < 11.0.3-r12
- (no CPE)range: < 1.16.0-r1
- (no CPE)range: >= 30.0.0, < 36.0.8
- (no CPE)range: < 0.26.8-3.1
- (no CPE)range: < 0.26.8-160000.2.1
- (no CPE)range: < 0.26.8-160000.2.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-p8xm-42r7-89xgghsaADVISORY
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xgnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44216ghsaADVISORY
- rustsec.org/advisories/RUSTSEC-2026-0114.htmlghsaWEB
News mentions
0No linked articles in our index yet.