Lucene search
+L
BytecodeallianceWasmtime

9 matches found

CVE
CVE
added 2022/07/21 1:50 p.m.83 views

CVE-2022-31169

CVE-2022-31169 affects Wasmtime’s Cranelift codegen on AArch64. A miscompilation in constant division may place incorrect values in registers due to sign/zero-extension rules, impacting WebAssembly sandbox correctness. Affected: Wasmtime prior to 0.38.2 and Cranelift prior to 0.85.2; fixed in Was...

7.5CVSS6.8AI score0.00791EPSS
CVE
CVE
added 2022/11/10 12:0 a.m.78 views

CVE-2022-39392

CVE-2022-39392 affects Wasmtime’s pooling instance allocator when InstanceLimits::memory_pages is set to zero. In this configuration, the virtual memory mapping for WebAssembly memories can fail to meet safety requirements, allowing out-of-bounds reads/writes to access memory outside the wasm san...

7.4CVSS6.4AI score0.00577EPSS
CVE
CVE
added 2026/05/14 2:54 p.m.34 views

CVE-2026-44216

Wasmtime (WebAssembly runtime) contains a vulnerability in its allocation logic for WebAssembly tables: checked arithmetic may panic on overflow when allocating extremely large tables (possible with memory64). Affects Wasmtime versions 30.0.0–36.0.8, 43.0.2, and 44.0.1. The panic occurs during cr...

7.5CVSS6AI score0.00319EPSS
CVE
CVE
added 2026/04/09 6:36 p.m.32 views

CVE-2026-34943

Wasmtime (WebAssembly runtime) has a vulnerability where lifting a flags-typed component-model value with Val can panic if bits outside the allowed flags set are present. Affected versions before fixes include 24.0.7, 36.0.7, 42.0.2, and 43.0.1; the panic occurs in Wasmtime’s Val lifting (not in ...

7.5CVSS5.8AI score0.00324EPSS
CVE
CVE
added 2026/02/24 9:31 p.m.29 views

CVE-2026-27572

Wasmtime (WebAssembly runtime) is affected by CVE-2026-27572 in the wasi:http/types.fields implementation. Prior to patched releases (Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0), the wasmtime-wasi-http crate uses a data structure that panics when the headers field set becomes excessively...

7.5CVSS5.5AI score0.00466EPSS
CVE
CVE
added 2026/06/15 7:47 p.m.26 views

CVE-2026-47261

CVE-2026-47261 : Wasmtime-wasi WASI path_open(TRUNCATE) bypasses FilePerms::WRITE host restriction. Root cause: when OpenFlags::TRUNCATE is used, open_mode was not OR-ed with WRITE, allowing a READ-only preopen with DirPerms::all() to bypass access checks via wasip1 path_open or wasip2 descriptor...

7.5CVSS5.2AI score0.00357EPSS
CVE
CVE
added 2026/04/09 6:43 p.m.22 views

CVE-2026-34946

Summary: Wasmtime’s Winch-based code path can panic the host when compiling the WebAssembly table.fill instruction. From 25.0.0 up to but not including 36.0.7, 42.0.2, and 43.0.1, a historical refactor changed how compiled code references table elements, but Winch paths were not updated, leading ...

7.5CVSS6AI score0.00358EPSS
CVE
CVE
added 2026/02/24 9:15 p.m.20 views

CVE-2026-27195

CVE-2026-27195 affects Wasmtime in versions where component-model-async is default (from 39.0.0). The bug causes a panic when a host embeds calls to wasmtime::component::[Typed]Func::call_async, drops the returned Future after polling, and then reuses the same component instance before the first ...

7.5CVSS5.3AI score0.00362EPSS
CVE
CVE
added 2026/04/09 6:54 p.m.20 views

CVE-2026-35186

Wasmtime vulnerable due to a Winch backend bug in table.grow (affecting 32-bit tables) that could mis-interpret the result and allow reads/writes to the 16 bytes before linear memory, causing DoS and potential host-data leakage. Affected versions: Wasmtime 25.0.0 up to before 36.0.7, 42.0.2, and ...

7.5CVSS5.8AI score0.00214EPSS