wasmtime
crates.io34 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting wasmtimepage 1 of 1
- CVE-2021-39216MEDIUMCVSS 6.3EG 6.3✓ Fixed in 0.30.02021-09-17
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have…
- CVE-2021-39218MEDIUMCVSS 6.3EG 6.3✓ Fixed in 0.30.02021-09-17
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when run…
- CVE-2021-39219MEDIUMCVSS 6.3EG 6.3✓ Fixed in 0.30.02021-09-17
Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, …
- CVE-2022-23636MEDIUMCVSS 5.1EG 5.1✓ Fixed in 0.38.22022-02-16
Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines…
- CVE-2022-24791HIGHCVSS 8.1EG 8.1✓ Fixed in 0.35.22022-03-31
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explic…
- CVE-2022-31104MEDIUMCVSS 4.8EG 4.8✓ Fixed in 0.38.12022-06-28
Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 …
- CVE-2022-31146MEDIUMCVSS 6.4EG 6.4✓ Fixed in 0.38.22022-07-21
Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means tha…
- CVE-2022-31169MEDIUMCVSS 5.9EG 5.9✓ Fixed in 0.38.22022-07-22
Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to versi…
- CVE-2022-39392MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.0.22022-11-10
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages …
- CVE-2022-39393HIGHCVSS 8.6EG 8.6✓ Fixed in 2.0.22022-11-10
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap s…
- CVE-2022-39394LOWCVSS 3.8EG 3.8✓ Fixed in 2.0.22022-11-10
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` hea…
- CVE-2023-26489CRITICALCVSS 9.9EG 9.9✓ Fixed in 6.0.12023-03-08
wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of W…
- CVE-2023-27477LOWCVSS 3.1EG 3.1✓ Fixed in 6.0.12023-03-08
wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand i…
- CVE-2023-30624LOWCVSS 3.9EG 3.9✓ Fixed in 8.0.12023-04-27
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined beha…
- CVE-2023-41880LOWCVSS 2.2EG 2.2✓ Fixed in 12.0.22023-09-15
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a cons…
- CVE-2024-30266LOWCVSS 3.3EG 3.3✓ Fixed in 19.0.12024-04-04
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, whe…
- CVE-2024-47763MEDIUMCVSS 5.5EG 5.5✓ Fixed in 25.0.22024-10-09
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if…
- CVE-2024-47813LOWCVSS 2.9EG 2.9✓ Fixed in 25.0.22024-10-09
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potent…
- CVE-2024-51745CRITICALCVSS 10.0EG 10.0✓ Fixed in 26.0.12024-11-05
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to …
- CVE-2025-53901LOWCVSS 3.5EG 3.5✓ Fixed in 24.0.42025-07-18
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The spec…
- CVE-2025-64345LOWCVSS 1.8EG 1.8✓ Fixed in 38.0.42025-11-12
Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe…
- CVE-2026-34941HIGHCVSS 8.1EG 8.1✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byt…
- CVE-2026-34942MEDIUMCVSS 6.5EG 6.5✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocate…
- CVE-2026-34943HIGHCVSS 7.5EG 7.5✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the se…
- CVE-2026-34944MEDIUMCVSS 5.7EG 5.7✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is neces…
- CVE-2026-34945MEDIUMCVSS 6.5EG 6.5✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size ins…
- CVE-2026-34946HIGHCVSS 7.5EG 7.5✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a v…
- CVE-2026-34971HIGHCVSS 7.8EG 7.8✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address…
- CVE-2026-34983MEDIUMCVSS 5.0EG 5.0✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder…
- CVE-2026-34987CRITICALCVSS 9.9EG 9.9✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-…
- CVE-2026-34988MEDIUMCVSS 6.3EG 6.3✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one…
- CVE-2026-35186HIGHCVSS 7.5EG 7.5✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit table…
- CVE-2026-35195MEDIUMCVSS 5.4EG 5.4✓ Fixed in 43.0.12026-04-09
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated b…
- CVE-2026-44216HIGHCVSS 7.5EG 7.5✓ Fixed in 44.0.12026-05-14
Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus p…
Check whether wasmtime is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for wasmtime CVEs against the assets you own.
Start Free Scan →