PT-2026-38398 · Bytecode Alliance · Wasmtime
Alexcrichton
·
Published
2026-04-30
·
Updated
2026-06-01
·
CVE-2026-44216
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Wasmtime versions prior to 36.0.8
Wasmtime versions prior to 43.0.2
Wasmtime versions prior to 44.0.1
Description
Allocation logic for a WebAssembly table contains checked arithmetic that panics on overflow when a table with an extremely large size is allocated. This occurs during the instantiation of a WebAssembly module or component and is possible when the
memory64 WebAssembly feature is enabled, allowing table sizes in the 64-bit range. The issue specifically affects the on-demand instance allocator, which is the default allocator, and can lead to a denial-of-service by causing the host process to panic.Recommendations
Update to version 36.0.8.
Update to version 43.0.2.
Update to version 44.0.1.
Switch to using the pooling allocator.
Disable the
memory64 WebAssembly proposal.Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wasmtime