VDB

CVE-2026-34943

CVE-2026-34943 PUBLISHED CVSS 5.599999904632568 MEDIUM

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

EPSS 0.02% · 4.9th percentile

Risk Scores

CVSS v4.0
5.599999904632568
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.02%
4.9th percentile

Affected Products

VendorProductVersions
bytecodealliancewasmtime< 24.0.7, >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2
crates.iowasmtime25.0.0, 0, 37.0.0

Timeline

  • Apr 9, 2026 CVE Published
  • Apr 10, 2026 Security Advisory
  • Apr 20, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›