Overflow Vulnerability in Wasmtime Runtime for WebAssembly
CVE-2026-44216

5.9MEDIUM

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 14 May 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-44216?

The Wasmtime runtime for WebAssembly is prone to an overflow vulnerability in its allocation logic for WebAssembly tables. This issue arises in versions 30.0.0 to 36.0.8, and 43.0.2, and 44.0.1, when attempting to allocate an extremely large table size, especially under the WebAssembly memory64 proposal. The overflow can lead to panic conditions when instantiating a WebAssembly module or component, therefore impacting the stability and reliability of applications built using Wasmtime. The issue has been addressed in later versions, enhancing the robustness of table handling.

Affected Version(s)

wasmtime >= 30.0.0, < 36.0.8 < 30.0.0, 36.0.8

wasmtime >= 37.0.0, < 43.0.2 < 37.0.0, 43.0.2

wasmtime 44.0.0

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44216 Data

JSON