9 matches found
CVE-2021-39218
Technical details about CVE-2021-39218 (affected Wasmtime versions 0.26.0–0.30.0, root cause, exploit paths, and fixes) are not provided in the supplied documents. Monitor for official disclosures and patches.
CVE-2022-31104
CVE-2022-31104 concerns Wasmtime’s x86_64 SIMD implementation. Two Cranelift lowering bugs affected i8x16.swizzle and select for v128 inputs: swizzle overwrote the mask input register, potentially corrupting a constant; and select incorrectly handled 128‑bit vectors when the condition was 0, movi...
CVE-2021-39219
Technical details about CVE-2021-39219 are not publicly provided in the connected documents. Monitor for updates from official advisories; the supplied sources do not enumerate affected products/versions or fixes beyond the initial description.
CVE-2021-39216
Wasmtime (pre-0.30.0) contains a use-after-free when passing multiple externref values from host to guest Wasm, potentially allowing a GC to reclaim the first externref and then reuse it after control returns to Wasm. Affected versions are 0.19.0–0.29.0; upgrading to Wasmtime 0.30.0 fixes the iss...
CVE-2026-34988
Summary: CVE-2026-34988 affects Wasmtime’s pooling allocator. In certain configurations, when embedding allows specific settings, memory contents can leak between linear memories across WebAssembly instances, breaking Wasmtime’s sandbox. The issue stems from incorrect VM-permission reset logic in...
CVE-2026-34942
Wasmtime VM exposes a DoS risk due to a panic-triggering path when transcoding strings into utf16/latin1+utf16. Root cause: alignment verification for reallocated strings was improper, allowing unaligned pointers to be passed to the host by a malicious guest. Affected versions prior to fixed rele...
CVE-2026-34945
Wasmtime (Winch) vulnerability: a bug in the 64-bit memory64 table.size translation could disclose data from the host stack to WebAssembly guests. Affected builds range 25.0.0 through just before 36.0.7, 42.0.2, and 43.0.1. Root cause: return value of table.size was statically typed as 32‑bit ins...
CVE-2026-27204
CVE-2026-27204 involves Wasmtime’s WASI host interfaces, where guest code could exhaust host resources due to insufficient limits on resource allocations. Affected versions prior to fixes include 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0. The fixes are released in Wasmtime 24.0.6, 36.0.6, 40.0.4...
CVE-2026-35195
The CVE-2026-35195 vulnerability affects Wasmtime (WebAssembly runtime) where the guest component’s realloc return value is not validated during transcoding of component-model strings. This can allow a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary address up t...