Denial of Service Vulnerability in Wasmtime from Bytecode Alliance
CVE-2026-34943

5.6MEDIUM

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 9 April 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-34943?

A denial of service vulnerability exists in Wasmtime, a WebAssembly runtime, prior to specified versions. The issue arises when a flags-typed component model value is lifted incorrectly, triggering a panic under certain conditions. This panic can occur if bits are set outside the expected flags, leading to potential guest-controlled issues within the host environment. While the panic does not occur with the flags! macro, it poses a risk when handling flags-typed values as part of a WIT interface, making it a vector for denial of service attacks. Users are advised to upgrade to the fixed versions to mitigate this risk.

Affected Version(s)

wasmtime < 24.0.7 < 24.0.7

wasmtime >= 25.0.0, < 36.0.7 < 25.0.0, 36.0.7

wasmtime >= 37.0.0, < 42.0.2 < 37.0.0, 42.0.2

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

5.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34943 Data

JSON