GHSA-p8xm-42r7-89xg

Source

https://github.com/advisories/GHSA-p8xm-42r7-89xg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-p8xm-42r7-89xg/GHSA-p8xm-42r7-89xg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p8xm-42r7-89xg

Aliases

CVE-2026-44216
RUSTSEC-2026-0114

Related

CGA-4w3c-qcxm-v5gj

Published

2026-05-07T00:08:59Z

Modified

2026-05-08T02:14:22.239421111Z

Severity

5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

wasmtime has a panic when allocating a table exceeding the size of the host's address space

Details

Impact

Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component.

This bug does not affect the pooling allocator which limits tables sizes to much less than the required amount to trigger the overflow. This bug is only present for the on-demand instance allocator, which is Wasmtime's default allocator. This bug also requires the memory64 WebAssembly feature to be enabled, which is on-by-default.

Panicking in the host process is considered a denial-of-service vector for Wasmtime.

Patches

Wasmtime 36.0.8, 43.0.2, and 44.0.1 have all been released which fixes this issue.

Workarounds

Embeddings can switch to using the pooling allocator to work around this issue, or the memory64 WebAssembly proposal can be disabled. Otherwise there is no workaround and users are recommended to upgrade.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-07T00:08:59Z",
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

crates.io / wasmtime

Package

Name: wasmtime; View open source insights on deps.dev
Purl: pkg:cargo/wasmtime

Affected ranges

Type: SEMVER
Events: Introduced

30.0.0

Fixed

36.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-p8xm-42r7-89xg/GHSA-p8xm-42r7-89xg.json"

crates.io / wasmtime

Package

Name: wasmtime; View open source insights on deps.dev
Purl: pkg:cargo/wasmtime

Affected ranges

Type: SEMVER
Events: Introduced

37.0.0

Fixed

43.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-p8xm-42r7-89xg/GHSA-p8xm-42r7-89xg.json"