CVE-2026-34943

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1

Description Wasmtime, a runtime for WebAssembly, may experience a panic when a flags-typed component model value is lifted with the Val type. This occurs if bits are set outside the expected flags, leading to a guest-controlled panic within the host, which is considered a denial-of-service vector. This issue specifically affects flags-typed values within a WIT interface and the lifting process into Val, not the flags! macro.

Recommendations Update to Wasmtime version 24.0.7, 36.0.7, 42.0.2, or 43.0.1.