40 matches found
CVE-2023-26489
Summary of CVE-2023-26489 (wasmtime/Cranelift): In x86_64, Cranelift’s address-mode computation could extend a 32-bit WebAssembly address to 64 bits, producing an effective address up to 35 bits away from linear memory. With default codegen, this allowed wasm-controlled loads/stores to read/write...
CVE-2023-27477
Wasmtime Cranelift on x86_64 has a codegen bug for i8x16.select that can yield incorrect results when the same operand is used and some selected indices exceed 16. The off-by-one error in the mask calculation for pshufb may cause wrong results when lanes are taken from the second vector. This iss...
CVE-2024-47813
CVE-2024-47813 is a race-condition bug in Wasmtime where concurrent creation/dropping of types (e.g., FuncType, ArrayType) on a shared wasmtime::Engine can cause double-unregistration, potentially corrupting the internal type registry and violating WebAssembly CFI and type safety. The issue arise...
CVE-2024-30266
CVE-2024-30266 affects the Wasmtime WebAssembly runtime. The 19.0.0 release contained a regression that can cause a guest WebAssembly module to panic the host runtime when executed, potentially impacting host stability. The issue is addressed in Wasmtime 19.0.1. Multiple sources (NVD/NIST entry, ...
CVE-2024-47763
The CVE-2024-47763 issue affects Wasmtime’s WebAssembly runtime, where tail-call support combined with stack traces can trigger a crash. Root cause: when a WebAssembly function uses return_call/return_call_indirect/return_call_ref to a host function that captures a stack trace, the stack-walking ...
CVE-2024-51745
Wasmtime on Windows had a sandbox bypass where filenames with superscript digits (e.g., COM¹, LPT⁰) were not blocked, allowing untrusted Wasm code with filesystem access to reach devices and peripherals via special device filenames. Affected software: Wasmtime’s Windows filesystem sandbox. Root c...
CVE-2022-24791
The CVE refers to Wasmtime (WebAssembly JIT runtime using Cranelift) with a use-after-free vulnerability that occurs when running Wasm code using externrefs while epoch interruption is enabled. The issue is caused by Cranelift failing to emit stack maps for safepoints inside cold blocks, which re...
CVE-2025-53901
Wasmtime WASI (wasmtime-wasi) contains a bug in the WASIp1 import implementation. Prior to 24.0.4, 33.0.2, and 34.0.2, calling fd_renumber followed by path_open can cause a WebAssembly guest to panic the host (embedder). The panic results from a corrupt state in fd_renumber when a second open fil...
CVE-2021-39218
Technical details about CVE-2021-39218 (affected Wasmtime versions 0.26.0–0.30.0, root cause, exploit paths, and fixes) are not provided in the supplied documents. Monitor for official disclosures and patches.
CVE-2021-39219
Technical details about CVE-2021-39219 are not publicly provided in the connected documents. Monitor for updates from official advisories; the supplied sources do not enumerate affected products/versions or fixes beyond the initial description.
CVE-2022-23636
CVE-2022-23636 affects Wasmtime prior to 0.34.1 and 0.33.1, due to a bug in the pooling instance allocator that can cause an invalid drop of a VMExternRef when a module defines an externref global and instance creation fails. The vulnerability depends on specific conditions (e.g., mprotect/Virtua...
CVE-2022-31104
CVE-2022-31104 concerns Wasmtime’s x86_64 SIMD implementation. Two Cranelift lowering bugs affected i8x16.swizzle and select for v128 inputs: swizzle overwrote the mask input register, potentially corrupting a constant; and select incorrectly handled 128‑bit vectors when the condition was 0, movi...
CVE-2022-31169
CVE-2022-31169 affects Wasmtime’s Cranelift codegen on AArch64. A miscompilation in constant division may place incorrect values in registers due to sign/zero-extension rules, impacting WebAssembly sandbox correctness. Affected: Wasmtime prior to 0.38.2 and Cranelift prior to 0.85.2; fixed in Was...
CVE-2021-39216
Wasmtime (pre-0.30.0) contains a use-after-free when passing multiple externref values from host to guest Wasm, potentially allowing a GC to reclaim the first externref and then reuse it after control returns to Wasm. Affected versions are 0.19.0–0.29.0; upgrading to Wasmtime 0.30.0 fixes the iss...
CVE-2022-31146
CVE-2022-31146 affects Wasmtime (Cranelift) in the migration to the regalloc2 allocator (Wasmtime 0.37.0). The bug may cause metadata for reference-typed functions to be missing during GC, making the GC pass think there are no live references, leading to use-after-free when values are later acces...
CVE-2022-39392
CVE-2022-39392 affects Wasmtime’s pooling instance allocator when InstanceLimits::memory_pages is set to zero. In this configuration, the virtual memory mapping for WebAssembly memories can fail to meet safety requirements, allowing out-of-bounds reads/writes to access memory outside the wasm san...
CVE-2022-39393
Wasmtime vulnerability CVE-2022-39393: prior to versions 2.0.2 and 1.0.2, a bug in the pooling instance allocator can cause the initial heap snapshot of a prior instance to be visible to the next instance when reusing linear memory. This data leakage between instances can lead to information expo...
CVE-2023-41880
CVE-2023-41880 affects Wasmtime on x86_64 where a miscompilation of the WebAssembly i64x2.shr_s instruction occurs for constant shift amounts greater than 32. Versions 10.0.0 through 10.0.2, 11.0.2, and 12.0.1 contain the issue; patch versions 10.0.2, 11.0.2, and 12.0.2 fix it (11.0.2 and 12.0.2 ...
CVE-2022-39394
CVE-2022-39394 affects Wasmtime prior to 2.0.2: a mismatch in the wasmtime_trap_code C API implementation can cause a 4-byte write into a 1-byte caller buffer, writing three zero bytes beyond the provided location. The issue is fixed in Wasmtime 2.0.2. Workaround: cast a 4-byte buffer to a 1-byte...
CVE-2023-30624
Wasmtime CVE-2023-30624 concerns an LLVM-level undefined behavior in per-instance state management (VMContext) of the Wasmtime runtime. The issue occurs in Wasmtime versions prior to 6.0.2, 7.0.1, and 8.0.1 and arises when unsafe code mutates VMContext data via methods using &self, which can lead...
CVE-2026-34987
Wasmtime (WebAssembly runtime) with the Winch baseline compiler backend on aarch64 is vulnerable. From 25.0.0 up to but not including 36.0.7, 42.0.2, and 43.0.1, using -Ccompiler=winch may allow a guest Wasm to access host memory outside the linear-memory sandbox. The aarch64 variant has an obser...
CVE-2026-44216
Wasmtime (WebAssembly runtime) contains a vulnerability in its allocation logic for WebAssembly tables: checked arithmetic may panic on overflow when allocating extremely large tables (possible with memory64). Affects Wasmtime versions 30.0.0–36.0.8, 43.0.2, and 44.0.1. The panic occurs during cr...
CVE-2026-34983
Wasmtime 43.0.0 contains a use-after-free bug when cloning wasmtime::Linker, triggered by a specific host embedder API sequence (clone, drop original, use cloned linker). The issue is not controllable by guest Wasm programs and can manifest as a segfault; it does not enable heap corruption or dat...
CVE-2026-34988
Summary: CVE-2026-34988 affects Wasmtime’s pooling allocator. In certain configurations, when embedding allows specific settings, memory contents can leak between linear memories across WebAssembly instances, breaking Wasmtime’s sandbox. The issue stems from incorrect VM-permission reset logic in...
CVE-2026-27204
CVE-2026-27204 involves Wasmtime’s WASI host interfaces, where guest code could exhaust host resources due to insufficient limits on resource allocations. Affected versions prior to fixes include 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0. The fixes are released in Wasmtime 24.0.6, 36.0.6, 40.0.4...
CVE-2026-34941
Wasmtime (WebAssembly runtime) contains a heap OOB read during transcoding of UTF-16 to the latin1+utf16 component-model encoding. The bug stems from validating the input length by code units instead of by byte length, causing reads beyond the WebAssembly linear memory during bounds checking. In ...
CVE-2026-34942
Wasmtime VM exposes a DoS risk due to a panic-triggering path when transcoding strings into utf16/latin1+utf16. Root cause: alignment verification for reallocated strings was improper, allowing unaligned pointers to be passed to the host by a malicious guest. Affected versions prior to fixed rele...
CVE-2026-34971
Wasmtime’s Cranelift backend on the aarch64 path contains a miscompile of a specific load pattern (load(iadd(base, ishl(index, amt)))) that can diverge between bounds checking and loading, enabling an arbitrary read/write of host memory and thus a sandbox escape for guest WebAssembly. Affected ra...
CVE-2026-27572
Wasmtime (WebAssembly runtime) is affected by CVE-2026-27572 in the wasi:http/types.fields implementation. Prior to patched releases (Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0), the wasmtime-wasi-http crate uses a data structure that panics when the headers field set becomes excessively...
CVE-2026-35195
The CVE-2026-35195 vulnerability affects Wasmtime (WebAssembly runtime) where the guest component’s realloc return value is not validated during transcoding of component-model strings. This can allow a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary address up t...
CVE-2026-27195
CVE-2026-27195 affects Wasmtime in versions where component-model-async is default (from 39.0.0). The bug causes a panic when a host embeds calls to wasmtime::component::[Typed]Func::call_async, drops the returned Future after polling, and then reuses the same component instance before the first ...
CVE-2026-47261
CVE-2026-47261 : Wasmtime-wasi WASI path_open(TRUNCATE) bypasses FilePerms::WRITE host restriction. Root cause: when OpenFlags::TRUNCATE is used, open_mode was not OR-ed with WRITE, allowing a READ-only preopen with DirPerms::all() to bypass access checks via wasip1 path_open or wasip2 descriptor...
CVE-2026-34946
Summary: Wasmtime’s Winch-based code path can panic the host when compiling the WebAssembly table.fill instruction. From 25.0.0 up to but not including 36.0.7, 42.0.2, and 43.0.1, a historical refactor changed how compiled code references table elements, but Winch paths were not updated, leading ...
CVE-2025-61670
CVE-2025-61670 affects Wasmtime 37.0.0 and 37.0.1, where memory leaks occur in the C/C++ API when using bindings for the WebAssembly values anyref/externref. The root cause is a Rust refactor changing ManuallyRooted to OwnedRooted and incomplete propagation of ownership semantics to the C/C++ API...
CVE-2025-62711
Wasmtime (WebAssembly runtime) versions 38.0.0–38.0.2 contain a bug in the component-model host-to-wasm trampolines that can crash the host (segfault or assert) when a component is carefully crafted and invoked in a specific way. This issue is fixed in Wasmtime 38.0.3; there are no known workarou...
CVE-2026-34943
Wasmtime (WebAssembly runtime) has a vulnerability where lifting a flags-typed component-model value with Val can panic if bits outside the allowed flags set are present. Affected versions before fixes include 24.0.7, 36.0.7, 42.0.2, and 43.0.1; the panic occurs in Wasmtime’s Val lifting (not in ...
CVE-2026-34945
Wasmtime (Winch) vulnerability: a bug in the 64-bit memory64 table.size translation could disclose data from the host stack to WebAssembly guests. Affected builds range 25.0.0 through just before 36.0.7, 42.0.2, and 43.0.1. Root cause: return value of table.size was statically typed as 32‑bit ins...
CVE-2026-24116
CVE-2026-24116 affects Wasmtime (WebAssembly runtime) on x86-64 with AVX. The Cranelift-based compilation of the f64.copysign instruction may load 8 bytes too many, potentially causing an uncaught segfault when signals-based-traps are disabled and loading from guard pages occurs. Affected version...
CVE-2026-35186
Wasmtime vulnerable due to a Winch backend bug in table.grow (affecting 32-bit tables) that could mis-interpret the result and allow reads/writes to the 16 bytes before linear memory, causing DoS and potential host-data leakage. Affected versions: Wasmtime 25.0.0 up to before 36.0.7, 42.0.2, and ...
CVE-2026-34944
Wasmtime (WebAssembly runtime) prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 on x86-64 with SSE3 disabled could compile f64x2.splat via Cranelift in a way that loads 8 extra bytes. When signals-based traps are disabled this may cause an uncaught segfault from unmapped guard pages. With gua...