Vulnerability DatabaseCVE-2026-44216
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-44216
Published:May 14, 2026
Updated:May 18, 2026
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Affected Packages
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) =v44.0.0 <v44.0.1
Fix Suggestion:
Update to version v44.0.1
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v37.0.0 <v43.0.2
Fix Suggestion:
Update to version v43.0.2
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v30.0.0 <v36.0.8
Fix Suggestion:
Update to version v36.0.8
wasmtime (RUST):
Affected version(s) >=30.0.0 <36.0.8
Fix Suggestion:
Update to version 36.0.8
wasmtime (RUST):
Affected version(s) =44.0.0 <44.0.1
Fix Suggestion:
Update to version 44.0.1
wasmtime (RUST):
Affected version(s) >=37.0.0 <43.0.2
Fix Suggestion:
Update to version 43.0.2
Related Resources (5)
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg
https://nvd.nist.gov/vuln/detail/CVE-2026-44216
https://crates.io/crates/wasmtime
https://github.com/bytecodealliance/wasmtime
https://rustsec.org/advisories/RUSTSEC-2026-0114.html
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.7
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
0.04