Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44216.json",
"cwe_ids": [
"CWE-770"
],
"cna_assigner": "GitHub_M"
}{
"cpe": [
"cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
"cpe:2.3:a:bytecodealliance:wasmtime:44.0.0:*:*:*:*:rust:*:*"
],
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"extracted_events": [
{
"introduced": "30.0.0"
},
{
"fixed": "36.0.8"
},
{
"introduced": "37.0.0"
},
{
"fixed": "43.0.2"
},
{
"introduced": "44.0.0"
},
{
"last_affected": "44.0.0"
}
]
}