Skip to main content

Wasmtime

32 CVEs product

Monthly

CVE-2026-54786 Cargo LOW PATCH Monitor

Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.

Information Disclosure Wasmtime
NVD GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-34988 Cargo LOW PATCH GHSA Monitor

Wasmtime's pooling allocator leaks linear memory contents between WebAssembly instances when configured with specific non-default settings (memory_guard_size=0, memory_reservation<4GiB, max_memory_size=memory_reservation). Affected versions 28.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allow authenticated local attackers with high attack complexity to read sensitive data from previously-mapped memory due to incorrect virtual memory permission reset logic. Vendor-released patches: 36.0.7, 42.0.2, and 43.0.1. No public exploit identified at time of analysis.

Buffer Overflow Wasmtime
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-34983 LIB LOW PATCH GHSA Monitor

Wasmtime 43.0.0 contains a use-after-free vulnerability in the Linker cloning mechanism that allows host embedders to trigger memory corruption through a specific sequence of API calls: cloning a wasmtime::Linker, dropping the original instance, and then using the cloned instance. This vulnerability is not exploitable by guest WebAssembly programs and requires deliberate misuse of the host API. The flaw is fixed in Wasmtime 43.0.1. Despite the use-after-free nature (CWE-416), the CVSS 4.0 score of 1.0 reflects the extremely limited attack surface: physical or local access is required (AV:P), attack complexity is high (AC:H), high privilege level is needed (PR:H), and user interaction is required (UI:A), resulting in minimal confidentiality, integrity, and availability impact.

Memory Corruption Information Disclosure Use After Free Wasmtime
NVD GitHub VulDB
CVSS 4.0
1.0
EPSS
0.0%
CVE-2026-34971 Cargo CRITICAL PATCH GHSA Act Now

Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allows authenticated remote attackers to escape WebAssembly sandbox restrictions. The Cranelift compilation backend on aarch64 architecture miscompiles specific heap access patterns, creating divergent address computations where bounds checks validate one address while loads access another, enabling sandbox escape through unrestricted host memory access. Exploitation requires 64-bit WebAssembly linear memories with Spectre mitigations and signals-based-traps disabled. No public exploit identified at time of analysis.

Information Disclosure Buffer Overflow Wasmtime
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-34946 Cargo MEDIUM PATCH GHSA This Month

Wasmtime's Winch compiler (versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0) contains a table indexing vulnerability in the table.fill instruction that causes host panic when compiled by Winch on any architecture. A valid WebAssembly guest can trigger this denial-of-service condition due to incorrect table reference indexing left behind after a historical refactoring. EPSS score of 5.9 reflects medium exploitability, and the vulnerability is patched in Wasmtime 36.0.7, 42.0.2, and 43.0.1.

Information Disclosure Wasmtime
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-34945 Cargo LOW PATCH GHSA Monitor

Wasmtime's Winch compiler in versions 25.0.0 through 36.0.6, 42.0.1, and 43.0.0 incorrectly translates the WebAssembly table.size instruction for 64-bit tables under the memory64 proposal, allowing WebAssembly guests to read sensitive data from the host's stack. The vulnerability stems from static typing the return value as 32-bit instead of consulting the table's actual index type, which when combined with Winch's multi-value return ABI mechanics enables stack data disclosure. This is fixed in Wasmtime 36.0.7, 42.0.2, and 43.0.1; no public exploit code or active exploitation has been identified at time of analysis, but the low CVSS score (2.3) reflects limited real-world impact due to authentication requirements and limited technical scope.

Information Disclosure Wasmtime
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-34944 Cargo MEDIUM PATCH GHSA This Month

Wasmtime's Cranelift compiler generates inefficient code for the f64x2.splat WebAssembly instruction on x86-64 platforms with SSE3 disabled, causing it to load 8 excess bytes beyond the intended operand. On systems with signals-based traps disabled, this overflow access can trigger segmentation faults from unmapped guard pages; with guard pages also disabled, out-of-sandbox memory is accessible to the runtime (though not to WebAssembly guests themselves). The vulnerability affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, and is fixed in those releases. No public exploit code or active exploitation (KEV) is documented.

Information Disclosure Wasmtime
NVD GitHub VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-34943 Cargo MEDIUM PATCH GHSA This Month

Wasmtime runtime before versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 panics when lifting component model flags-typed values with out-of-specification bit patterns, enabling guest-controlled denial-of-service in the host environment. The vulnerability requires high privilege and user interaction but affects a critical WebAssembly runtime used in production systems. No public exploit code is confirmed at time of analysis.

Information Disclosure Wasmtime
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-34942 Cargo MEDIUM PATCH GHSA This Month

Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 fails to properly validate pointer alignment when transcoding strings into UTF-16 or Latin-1+UTF-16 encodings within the Component Model, allowing authenticated malicious WebAssembly guests to trigger host panics by passing specially crafted unaligned pointers across component boundaries. This denial-of-service vulnerability requires authenticated access and specific string configurations but results in controllable host crashes. CVSS score 5.9 reflects moderate severity with attack vector network and authentication requirement; SSVC framework rates exploitation as not yet observed with non-automatable exploitation.

Information Disclosure Wasmtime
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-34941 Cargo MEDIUM PATCH GHSA This Month

Wasmtime runtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 incorrectly validate UTF-16 string byte lengths during component-model encoding transcoding, causing out-of-bounds memory reads that trigger process termination via segfault in default configurations or potentially expose host memory when guard pages are disabled. Authenticated users with UI interaction can trigger this denial-of-service vulnerability; reading beyond linear memory requires non-standard Wasmtime configuration without guard pages. No public exploit code has been identified at time of analysis.

Information Disclosure Buffer Overflow Wasmtime
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-27572 Cargo HIGH PATCH This Week

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowing remote attackers to trigger denial of service against applications embedding Wasmtime. The vulnerability affects versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0, and has been patched to return a controlled trap instead of panicking. Embedders should update immediately to mitigate this DoS vector.

Industrial Denial Of Service Wasmtime Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27204 Cargo MEDIUM PATCH This Month

Uncontrolled resource allocation in Wasmtime's WASI host interfaces allows authenticated guests to trigger denial of service on the host system by exhausting resources without proper limits. Affected versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 require explicit configuration to mitigate this issue, though Wasmtime 42.0.0 and later provide secure defaults. No patch is currently available for older versions, and resource exhaustion protections must be manually enabled.

Denial Of Service Wasmtime Red Hat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-27195 Cargo HIGH PATCH This Week

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are called and then abandoned by the host before completion, such as when the Future is dropped after a single poll during an async yield. This affects applications using Wasmtime's component model with async support, allowing an attacker to crash the runtime through specially crafted async function invocations. A patch is available to address this stability issue.

Golang Industrial Wasmtime Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24116 Cargo MEDIUM PATCH This Month

Wasmtime versions 29.0.0 through 41.0.0 on x86-64 platforms with AVX contain an out-of-bounds memory read in the f64.copysign instruction compilation that can cause application crashes when signal-based traps are disabled. In configurations with disabled guard pages, this vulnerability could potentially leak out-of-sandbox data, though the data remains inaccessible to WebAssembly guests without additional Cranelift bugs. Patches are available in versions 36.0.5, 40.0.3, and 41.0.1.

Buffer Overflow Information Disclosure Wasmtime
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-51745 Cargo LOW PATCH Monitor

Wasmtime is a fast and secure runtime for WebAssembly. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Microsoft Wasmtime
NVD GitHub
CVSS 4.0
2.3
EPSS
0.8%
CVE-2024-47813 LIB LOW PATCH Monitor

Wasmtime is an open source runtime for WebAssembly. Rated low severity (CVSS 2.9). No vendor patch available.

Information Disclosure Wasmtime
NVD GitHub
CVSS 3.1
2.9
EPSS
0.2%
CVE-2024-47763 LIB MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Google Denial Of Service Wasmtime
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-30266 LIB MEDIUM POC PATCH This Month

wasmtime is a runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Memory Corruption Wasmtime
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2023-41880 Cargo MEDIUM PATCH This Month

Wasmtime is a standalone runtime for WebAssembly. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wasmtime
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-30624 Cargo HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Wasmtime
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-27477 Cargo MEDIUM PATCH This Month

wasmtime is a fast and secure runtime for WebAssembly. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Cranelift Codegen Wasmtime
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2023-26489 Cargo CRITICAL PATCH Act Now

wasmtime is a fast and secure runtime for WebAssembly. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Cranelift Codegen Wasmtime
NVD GitHub
CVSS 3.1
9.9
EPSS
1.3%
CVE-2022-39394 Cargo CRITICAL PATCH Act Now

Wasmtime is a standalone runtime for WebAssembly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Buffer Overflow Wasmtime
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2022-39393 Cargo HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wasmtime
NVD GitHub
CVSS 3.1
8.6
EPSS
0.7%
CVE-2022-39392 Cargo HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Wasmtime
NVD GitHub
CVSS 3.1
7.4
EPSS
0.6%
CVE-2022-31169 Cargo HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cranelift Codegen Wasmtime
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-31146 Cargo HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure Use After Free Cranelift Codegen Wasmtime
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-31104 Cargo MEDIUM PATCH This Month

Wasmtime is a standalone runtime for WebAssembly. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Cranelift Codegen Wasmtime
NVD GitHub
CVSS 3.1
5.6
EPSS
1.6%
CVE-2022-24791 Cargo CRITICAL PATCH Act Now

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Denial Of Service Memory Corruption Use After Free Wasmtime
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2021-39218 LIB MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly & WASI. Rated medium severity (CVSS 6.3). This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Wasmtime Fedora
NVD GitHub
CVSS 3.1
6.3
EPSS
0.3%
CVE-2021-39219 LIB MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly & WASI. Rated medium severity (CVSS 6.3). This Access of Resource Using Incompatible Type (Type Confusion) vulnerability could allow attackers to execute arbitrary code by exploiting type confusion in the application.

Memory Corruption Information Disclosure Wasmtime Fedora
NVD GitHub
CVSS 3.1
6.3
EPSS
0.4%
CVE-2021-39216 LIB MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly & WASI. Rated medium severity (CVSS 6.3). No vendor patch available.

Use After Free Memory Corruption Information Disclosure Wasmtime Fedora
NVD GitHub
CVSS 3.1
6.3
EPSS
0.3%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.

Information Disclosure Wasmtime
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Wasmtime's pooling allocator leaks linear memory contents between WebAssembly instances when configured with specific non-default settings (memory_guard_size=0, memory_reservation<4GiB, max_memory_size=memory_reservation). Affected versions 28.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allow authenticated local attackers with high attack complexity to read sensitive data from previously-mapped memory due to incorrect virtual memory permission reset logic. Vendor-released patches: 36.0.7, 42.0.2, and 43.0.1. No public exploit identified at time of analysis.

Buffer Overflow Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 1.0
LOW PATCH Monitor

Wasmtime 43.0.0 contains a use-after-free vulnerability in the Linker cloning mechanism that allows host embedders to trigger memory corruption through a specific sequence of API calls: cloning a wasmtime::Linker, dropping the original instance, and then using the cloned instance. This vulnerability is not exploitable by guest WebAssembly programs and requires deliberate misuse of the host API. The flaw is fixed in Wasmtime 43.0.1. Despite the use-after-free nature (CWE-416), the CVSS 4.0 score of 1.0 reflects the extremely limited attack surface: physical or local access is required (AV:P), attack complexity is high (AC:H), high privilege level is needed (PR:H), and user interaction is required (UI:A), resulting in minimal confidentiality, integrity, and availability impact.

Memory Corruption Information Disclosure Use After Free +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allows authenticated remote attackers to escape WebAssembly sandbox restrictions. The Cranelift compilation backend on aarch64 architecture miscompiles specific heap access patterns, creating divergent address computations where bounds checks validate one address while loads access another, enabling sandbox escape through unrestricted host memory access. Exploitation requires 64-bit WebAssembly linear memories with Spectre mitigations and signals-based-traps disabled. No public exploit identified at time of analysis.

Information Disclosure Buffer Overflow Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Wasmtime's Winch compiler (versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0) contains a table indexing vulnerability in the table.fill instruction that causes host panic when compiled by Winch on any architecture. A valid WebAssembly guest can trigger this denial-of-service condition due to incorrect table reference indexing left behind after a historical refactoring. EPSS score of 5.9 reflects medium exploitability, and the vulnerability is patched in Wasmtime 36.0.7, 42.0.2, and 43.0.1.

Information Disclosure Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Wasmtime's Winch compiler in versions 25.0.0 through 36.0.6, 42.0.1, and 43.0.0 incorrectly translates the WebAssembly table.size instruction for 64-bit tables under the memory64 proposal, allowing WebAssembly guests to read sensitive data from the host's stack. The vulnerability stems from static typing the return value as 32-bit instead of consulting the table's actual index type, which when combined with Winch's multi-value return ABI mechanics enables stack data disclosure. This is fixed in Wasmtime 36.0.7, 42.0.2, and 43.0.1; no public exploit code or active exploitation has been identified at time of analysis, but the low CVSS score (2.3) reflects limited real-world impact due to authentication requirements and limited technical scope.

Information Disclosure Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Wasmtime's Cranelift compiler generates inefficient code for the f64x2.splat WebAssembly instruction on x86-64 platforms with SSE3 disabled, causing it to load 8 excess bytes beyond the intended operand. On systems with signals-based traps disabled, this overflow access can trigger segmentation faults from unmapped guard pages; with guard pages also disabled, out-of-sandbox memory is accessible to the runtime (though not to WebAssembly guests themselves). The vulnerability affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, and is fixed in those releases. No public exploit code or active exploitation (KEV) is documented.

Information Disclosure Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Wasmtime runtime before versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 panics when lifting component model flags-typed values with out-of-specification bit patterns, enabling guest-controlled denial-of-service in the host environment. The vulnerability requires high privilege and user interaction but affects a critical WebAssembly runtime used in production systems. No public exploit code is confirmed at time of analysis.

Information Disclosure Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 fails to properly validate pointer alignment when transcoding strings into UTF-16 or Latin-1+UTF-16 encodings within the Component Model, allowing authenticated malicious WebAssembly guests to trigger host panics by passing specially crafted unaligned pointers across component boundaries. This denial-of-service vulnerability requires authenticated access and specific string configurations but results in controllable host crashes. CVSS score 5.9 reflects moderate severity with attack vector network and authentication requirement; SSVC framework rates exploitation as not yet observed with non-automatable exploitation.

Information Disclosure Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Wasmtime runtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 incorrectly validate UTF-16 string byte lengths during component-model encoding transcoding, causing out-of-bounds memory reads that trigger process termination via segfault in default configurations or potentially expose host memory when guard pages are disabled. Authenticated users with UI interaction can trigger this denial-of-service vulnerability; reading beyond linear memory requires non-standard Wasmtime configuration without guard pages. No public exploit code has been identified at time of analysis.

Information Disclosure Buffer Overflow Wasmtime
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowing remote attackers to trigger denial of service against applications embedding Wasmtime. The vulnerability affects versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0, and has been patched to return a controlled trap instead of panicking. Embedders should update immediately to mitigate this DoS vector.

Industrial Denial Of Service Wasmtime +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uncontrolled resource allocation in Wasmtime's WASI host interfaces allows authenticated guests to trigger denial of service on the host system by exhausting resources without proper limits. Affected versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 require explicit configuration to mitigate this issue, though Wasmtime 42.0.0 and later provide secure defaults. No patch is currently available for older versions, and resource exhaustion protections must be manually enabled.

Denial Of Service Wasmtime Red Hat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are called and then abandoned by the host before completion, such as when the Future is dropped after a single poll during an async yield. This affects applications using Wasmtime's component model with async support, allowing an attacker to crash the runtime through specially crafted async function invocations. A patch is available to address this stability issue.

Golang Industrial Wasmtime +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Wasmtime versions 29.0.0 through 41.0.0 on x86-64 platforms with AVX contain an out-of-bounds memory read in the f64.copysign instruction compilation that can cause application crashes when signal-based traps are disabled. In configurations with disabled guard pages, this vulnerability could potentially leak out-of-sandbox data, though the data remains inaccessible to WebAssembly guests without additional Cranelift bugs. Patches are available in versions 36.0.5, 40.0.3, and 41.0.1.

Buffer Overflow Information Disclosure Wasmtime
NVD GitHub
EPSS 1% CVSS 2.3
LOW PATCH Monitor

Wasmtime is a fast and secure runtime for WebAssembly. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Microsoft Wasmtime
NVD GitHub
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Wasmtime is an open source runtime for WebAssembly. Rated low severity (CVSS 2.9). No vendor patch available.

Information Disclosure Wasmtime
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Google Denial Of Service Wasmtime
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

wasmtime is a runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Memory Corruption Wasmtime
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Wasmtime is a standalone runtime for WebAssembly. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wasmtime
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Wasmtime
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

wasmtime is a fast and secure runtime for WebAssembly. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Cranelift Codegen Wasmtime
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

wasmtime is a fast and secure runtime for WebAssembly. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Cranelift Codegen +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Wasmtime is a standalone runtime for WebAssembly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Buffer Overflow Wasmtime
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wasmtime
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Wasmtime
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cranelift Codegen Wasmtime
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure Use After Free +2
NVD GitHub
EPSS 2% CVSS 5.6
MEDIUM PATCH This Month

Wasmtime is a standalone runtime for WebAssembly. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Cranelift Codegen Wasmtime
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Denial Of Service Memory Corruption Use After Free +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly & WASI. Rated medium severity (CVSS 6.3). This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Wasmtime +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly & WASI. Rated medium severity (CVSS 6.3). This Access of Resource Using Incompatible Type (Type Confusion) vulnerability could allow attackers to execute arbitrary code by exploiting type confusion in the application.

Memory Corruption Information Disclosure Wasmtime +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Wasmtime is an open source runtime for WebAssembly & WASI. Rated medium severity (CVSS 6.3). No vendor patch available.

Use After Free Memory Corruption Information Disclosure +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy