CVE-2026-44216 bytecodealliance CVE debrief

Who should care

Organizations running Wasmtime as a WebAssembly runtime for untrusted or third-party modules, particularly those supporting the memory64 proposal. Cloud platforms offering WebAssembly execution services and developers embedding Wasmtime in serverless or edge computing environments should prioritize patching.

Technical summary

The vulnerability stems from checked arithmetic overflow in table allocation code paths. When the WebAssembly memory64 proposal is enabled, table sizes can exceed 32-bit limits, causing multiplication operations during allocation to overflow. The Rust panic handler terminates the runtime, resulting in denial of service. The fix implements proper overflow handling or bounds checking before arithmetic operations.

Defensive priority

medium

Recommended defensive actions

• Upgrade Wasmtime to patched versions 36.0.8, 43.0.2, or 44.0.1 depending on your current release branch
• Review WebAssembly module sources for untrusted memory64 table declarations
• Implement resource limits on WebAssembly instantiation to prevent excessive table allocation attempts
• Monitor application logs for panic conditions during module instantiation

Evidence notes

The vulnerability was disclosed via GitHub Security Advisory GHSA-p8xm-42r7-89xg and subsequently published to NVD. The issue affects multiple version ranges due to branching release patterns. CVSS 4.0 vector indicates network attack vector with low attack complexity, privileged access requirements, and high availability impact.

Official resources