216.73.217.22

CVE-2026-44216

· Published 14/05/2026 15:16 · Modified 14/05/2026 18:17

Labels: CVE-2026-44216 2026-05-14CVE-2026-44216CWE-770[email protected]

Essential information

Published
14/05/2026 15:16
Modified
14/05/2026 18:17
Author
Creator
CVSS
5.9 MEDIUM (v3) 5.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wasmtime / wasmtime cpe:2.3:a:wasmtime:wasmtime:30.0.0-36.0.8:*:*:*:*:*:*:*
wasmtime / wasmtime cpe:2.3:a:wasmtime:wasmtime:43.0.2:*:*:*:*:*:*:*
wasmtime / wasmtime cpe:2.3:a:wasmtime:wasmtime:44.0.1:*:*:*:*:*:*:*

References