| CVE-2026-44216 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
wasmtime has a panic when allocating a table exceeding the size of the host's address space |
| CVE-2026-35195 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a gues… |
| CVE-2026-35186 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result t… |
| CVE-2026-34988 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents… |
| CVE-2026-34987 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to a… |
| CVE-2026-34983 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be trig… |
| CVE-2026-34971 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap acc… |
| CVE-2026-34946 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can res… |
| CVE-2026-34945 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, i… |
| CVE-2026-34944 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Crane… |
| CVE-2026-34943 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val… |
| CVE-2026-34941 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encodi… |
| CVE-2026-34942 |
unknown |
— |
— |
|
|
|
2mo ago |
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings imprope… |
| CVE-2026-27204 |
unknown |
— |
— |
|
|
|
3mo ago |
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exh… |
| CVE-2026-27572 |
unknown |
— |
— |
|
|
|
3mo ago |
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when t… |
| CVE-2026-27195 |
unknown |
— |
— |
|
|
|
3mo ago |
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` w… |
| CVE-2026-24116 |
unknown |
— |
— |
|
|
|
4mo ago |
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssemb… |
| CVE-2025-64345 |
unknown |
— |
— |
|
|
|
7mo ago |
Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could… |
| CVE-2025-53901 |
unknown |
— |
— |
|
|
|
11mo ago |
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing … |
| CVE-2025-62711 |
unknown |
— |
— |
|
|
|
11mo ago |
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible… |
| CVE-2024-51745 |
unknown |
— |
— |
|
|
|
2y ago |
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so… |
| CVE-2024-47813 |
unknown |
— |
— |
|
|
|
2y ago |
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race… |
| CVE-2024-47763 |
unknown |
— |
— |
|
|
|
2y ago |
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The ru… |
| CVE-2024-30266 |
unknown |
— |
— |
|
|
|
2y ago |
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host … |
| CVE-2023-41880 |
unknown |
— |
— |
|
|
|
3y ago |
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 p… |
| CVE-2023-30624 |
unknown |
— |
— |
|
|
|
3y ago |
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level… |
| CVE-2023-27477 |
unknown |
— |
— |
|
|
|
3y ago |
wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce t… |
| CVE-2023-26489 |
unknown |
— |
— |
|
|
|
3y ago |
wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate… |
| CVE-2022-39393 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused… |
| CVE-2022-39392 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAss… |
| CVE-2022-39394 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declare… |
| CVE-2022-31146 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for ru… |
| CVE-2022-31104 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowering… |
| CVE-2022-24791 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interru… |
| CVE-2022-31169 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runti… |
| CVE-2022-23636 |
unknown |
— |
— |
|
|
|
4y ago |
Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantia… |
| CVE-2021-39216 |
unknown |
— |
— |
|
|
|
5y ago |
Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which fun… |
| CVE-2021-39219 |
unknown |
— |
— |
|
|
|
5y ago |
Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which fun… |
| CVE-2021-39218 |
unknown |
— |
— |
|
|
|
5y ago |
Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which fun… |