{"id":"CVE-2026-44216","summary":"Wasmtime: Panic when allocating a table exceeding the size of the host's address space","details":"Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.","aliases":["GHSA-p8xm-42r7-89xg","RUSTSEC-2026-0114"],"modified":"2026-07-17T03:41:41.541985345Z","published":"2026-05-14T14:54:32.975Z","related":["CGA-4w3c-qcxm-v5gj","SUSE-SU-2026:22002-1","openSUSE-SU-2026:10802-1","openSUSE-SU-2026:20863-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44216.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-770"]},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44216.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:38187"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-44216"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44216.json"},{"type":"ADVISORY","url":"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44216"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477467"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bytecodealliance/wasmtime","events":[{"introduced":"ede663c2ac43dad89877844440e53e0214468f03"},{"fixed":"332e8ad2374e78adba1127f725d6603a4a5f96f3"},{"introduced":"7b3d6ae79e9153a2477668062f5622c10333925f"},{"fixed":"f8557c1ad85b8fc123b715d15db7b52483eade96"},{"introduced":"af382d7d946b3de82db4bb1f6065b565f97446ae"},{"last_affected":"af382d7d946b3de82db4bb1f6065b565f97446ae"}],"database_specific":{"cpe":["cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*","cpe:2.3:a:bytecodealliance:wasmtime:44.0.0:*:*:*:*:rust:*:*"],"extracted_events":[{"introduced":"30.0.0"},{"fixed":"36.0.8"},{"introduced":"37.0.0"},{"fixed":"43.0.2"},{"introduced":"44.0.0"},{"last_affected":"44.0.0"}],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["44.0.0","v44.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44216.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}