Skip to main content

Wasmtime CVE-2026-34943

| EUVDEUVD-2026-21022 MEDIUM
Uncaught Exception (CWE-248)
2026-04-09 GitHub_M GHSA-m758-wjhj-p3jq
5.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21022
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
CVE Published
Apr 09, 2026 - 18:36 nvd
MEDIUM 5.6

DescriptionGitHub Advisory

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

AnalysisAI

Wasmtime runtime before versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 panics when lifting component model flags-typed values with out-of-specification bit patterns, enabling guest-controlled denial-of-service in the host environment. The vulnerability requires high privilege and user interaction but affects a critical WebAssembly runtime used in production systems. No public exploit code is confirmed at time of analysis.

Technical ContextAI

Wasmtime is a standalone runtime for executing WebAssembly (WASM) modules, developed by the Bytecode Alliance. The vulnerability resides in the component model's lifting mechanism, specifically when converting flags-typed values (bitmask enumerations in the WebAssembly Interface Type specification) from guest to host representation using the Val type. The root cause is improper validation in CWE-248 (Uncaught Exception), where the lifting implementation panics upon encountering flags with bits set outside the defined specification. The flags! macro and non-Val lifting paths correctly ignore these out-of-spec bits per the component model standard; only the Val lifting path fails. This affects any Wasmtime instance exposing a WIT (WebAssembly Interface Type) interface with flags-typed component model values to untrusted guests.

RemediationAI

Vendor-released patches are available: upgrade to Wasmtime 24.0.7, 36.0.7, 42.0.2, or 43.0.1 depending on your current minor version line. Consult https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq for detailed version compatibility and upgrade instructions. Until patching is complete, mitigate by restricting execution of untrusted WebAssembly modules or disabling component model interfaces that expose flags-typed values to guest code. Review deployment architectures to ensure untrusted WASM execution is properly sandboxed and resource-limited.

CVE-2023-26489 CRITICAL
9.9 Mar 08

wasmtime is a fast and secure runtime for WebAssembly. Rated critical severity (CVSS 9.9), this vulnerability is remotel

CVE-2022-39394 CRITICAL
9.8 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2022-24791 CRITICAL
9.8 Mar 31

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. Rated critical severity (CVSS 9.8), this vu

CVE-2024-30266 MEDIUM POC
5.5 Apr 04

wasmtime is a runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Pu

CVE-2026-34971 CRITICAL
9.0 Apr 09

Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, a

CVE-2023-30624 HIGH
8.8 Apr 27

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-31146 HIGH
8.8 Jul 21

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-39393 HIGH
8.6 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.6), this vulnerability is remotely exploit

CVE-2026-27572 HIGH
7.5 Feb 24

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowin

CVE-2026-27195 HIGH
7.5 Feb 24

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are c

CVE-2022-31169 HIGH
7.5 Jul 22

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2022-39392 HIGH
7.4 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.4), this vulnerability is remotely exploit

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2026-34943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy