Vulnerability Details CVE-2026-44216
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 15.7%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-44216
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:31.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:32.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:32.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:35.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.5
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.6
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.7
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:39.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:39.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:39.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:42.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:42.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:42.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:43.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:43.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:44.0.0