Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Vendors
Bytecodealliance
Wasmtime

bytecodealliance wasmtime Vulnerabilities: CVEs, CISA KEV & Security Advisories

bytecodealliance

41 CVEs

bytecodealliance wasmtime Vulnerabilities

CVE security advisories and vulnerability history for wasmtime by bytecodealliance.

41

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

2

Public exploits

With known exploit

5.2

Avg CVSS

2021–2026

Last updated May 14, 2026

Overview

bytecodealliance wasmtime has 41 published CVE records since 2021, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 2 have a known public exploit. The average CVSS base score across scored CVEs is 5.2.

This page aggregates every publicly disclosed vulnerability (CVE) affecting bytecodealliance wasmtime, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Severity and exploitation

How the CVSS severity of bytecodealliance wasmtime's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical3

High4

Medium20

Low14

In CISA’s Known Exploited Vulnerabilities catalog

0

None of bytecodealliance wasmtime's CVEs are currently listed in CISA's KEV catalog.

Public exploits

2

2 of bytecodealliance wasmtime's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every bytecodealliance wasmtime version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

Fixed in

36.0.711 CVEs
42.0.211 CVEs
43.0.16 CVEs
24.0.75 CVEs
0.30.03 CVEs
1.0.23 CVEs
101998733b74624cbd348a2366d05760b40181f33 CVEs
2.0.23 CVEs
398a73f0dd862dbe703212ebae8e34036a18c11c3 CVEs
40.0.43 CVEs
41.0.43 CVEs
486c88be11d5e51ede4e6f271efc4a530c3d82b13 CVEs
572fbc8c54b5a9519154c57e28b86cfaaba57bbb3 CVEs

Find a version

41 CVEs

Sort

Wasmtime: Panic when allocating a table exceeding the size of the host's address space
CVE-2026-44216
Patch
CWE-770
Medium · CVSS 5.9
EPSS 0.0% (16th pct)2026-05-14
Wasmtime has an out-of-bounds write or crash when transcoding component model strings
CVE-2026-35195
Patch
CWE-787
Medium · CVSS 6.1
EPSS 0.0% (2th pct)2026-04-09
Wasmtime has an improperly masked return value from `table.grow` with Winch compiler backend
CVE-2026-35186
Patch
CWE-789
High · CVSS 7.5
EPSS 0.1% (17th pct)2026-04-09
Wasmtime leaks data between pooling allocator instances
CVE-2026-34988
Patch
CWE-119
Low · CVSS 2.3
EPSS 0.0% (1th pct)2026-04-09
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access
CVE-2026-34987
Patch
CWE-787
Critical · CVSS 9.0
EPSS 0.1% (18th pct)2026-04-09
Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`
CVE-2026-34983
Public exploit
Patch
CWE-416
Low · CVSS 1.0
EPSS 0.0% (0th pct)2026-04-09
Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
CVE-2026-34971
Patch
CWE-787
Critical · CVSS 9.0
EPSS 0.0% (4th pct)2026-04-09
Wasmtime's host panics when Winch compiler executes `table.fill`
CVE-2026-34946
Patch
CWE-670
Medium · CVSS 5.9
EPSS 0.0% (5th pct)2026-04-09
Wasmtime leaks host data with 64-bit tables and Winch
CVE-2026-34945
Patch
CWE-681
Low · CVSS 2.3
EPSS 0.0% (3th pct)2026-04-09
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
CVE-2026-34944
Patch
CWE-248
Medium · CVSS 4.1
EPSS 0.0% (2th pct)2026-04-09
Wasmtime panics when lifting `flags` component value
CVE-2026-34943
Patch
CWE-248
Medium · CVSS 5.6
EPSS 0.0% (5th pct)2026-04-09
Wasmtime panics when transcoding misaligned utf-16 strings
CVE-2026-34942
Patch
CWE-129
Medium · CVSS 5.9
EPSS 0.0% (5th pct)2026-04-09
Wasmtime has a Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
CVE-2026-34941
Patch
CWE-125
Medium · CVSS 6.9
EPSS 0.0% (5th pct)2026-04-09
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance
CVE-2026-27572
Patch
CWE-770
Medium · CVSS 6.9
EPSS 0.0% (10th pct)2026-02-24
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
CVE-2026-27204
Patch
CWE-770
Medium · CVSS 6.9
EPSS 0.1% (26th pct)2026-02-24
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
CVE-2026-27195
Public exploit
Patch
CWE-755
Medium · CVSS 6.9
EPSS 0.1% (24th pct)2026-02-24
Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
CVE-2026-24116
Patch
CWE-125
Medium · CVSS 4.1
EPSS 0.0% (1th pct)2026-01-27
Wasmtime provides unsound API access to a WebAssembly shared linear memory
CVE-2025-64345
Patch
CWE-362
Low · CVSS 1.8
EPSS 0.0% (2th pct)2025-11-12
Wasmtime vulnerable to segfault when using component resources
CVE-2025-62711
Patch
CWE-755
Low · CVSS 2.1
EPSS 0.0% (2th pct)2025-10-24
Wasmtime has memory leak in C API with `externref` and `anyref` types
CVE-2025-61670
Patch
CWE-772
Low · CVSS 1.0
EPSS 0.0% (5th pct)2025-10-07
Wasmtime has host panic with `fd_renumber` WASIp1 function
CVE-2025-53901
Patch
CWE-672
Low · CVSS 3.5
EPSS 0.4% (60th pct)2025-07-18
Wasmtime doesn't fully sandbox all the Windows device filenames
CVE-2024-51745
Patch
CWE-184
Low · CVSS 2.3
EPSS 0.3% (54th pct)2024-11-05
Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
CVE-2024-47813
Patch
CWE-367
Low · CVSS 2.9
EPSS 0.0% (3th pct)2024-10-09
Wasmtime runtime crash when combining tail calls with trapping imports
CVE-2024-47763
Patch
CWE-670
Medium · CVSS 5.5
EPSS 0.0% (1th pct)2024-10-09
Low vulnerability · 2024-04-04
CVE-2024-30266
Patch
CWE-843
Low · CVSS 3.3
EPSS 0.0% (7th pct)2024-04-04
Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
CVE-2023-41880
Patch
CWE-193
Low · CVSS 2.2
EPSS 0.2% (42th pct)2023-09-15
Low vulnerability · 2023-04-27
CVE-2023-30624
Patch
CWE-758
Low · CVSS 3.9
EPSS 0.2% (37th pct)2023-04-27
Critical vulnerability · 2023-03-08
CVE-2023-26489
Patch
CWE-125
Critical · CVSS 10.0
EPSS 2.6% (86th pct)2023-03-08
Low vulnerability · 2023-03-08
CVE-2023-27477
Patch
CWE-193
Low · CVSS 3.1
EPSS 0.5% (65th pct)2023-03-08
Low vulnerability · 2022-11-10
CVE-2022-39394
Patch
CWE-787
Low · CVSS 3.8
EPSS 0.1% (30th pct)2022-11-10

Showing 30 of 41

Common weakness types

The CWE weakness categories most often found in bytecodealliance wasmtime CVEs. Follow any weakness for its full explanation.

CWE-787Out-of-bounds Write6 CVEs
CWE-416Use After Free4 CVEs
CWE-125Out-of-bounds Read3 CVEs
CWE-770Allocation of Resources Without Limits or Throttling3 CVEs
CWE-682Incorrect Calculation2 CVEs
CWE-248Uncaught Exception2 CVEs
CWE-755Improper Handling of Exceptional Conditions2 CVEs
CWE-193Off-by-one Error2 CVEs

Disclosure activity by year

How many bytecodealliance wasmtime CVEs were published each year.

2021

4

2022

8

2023

4

2024

4

2025

4

2026

17

Other bytecodealliance products

Browse vulnerabilities for other products by bytecodealliance.

wasm-micro-runtime11 CVEs webassembly micro runtime11 CVEs cranelift-codegen6 CVEs wasm_micro_runtime2 CVEs webassembly_micro_runtime2 CVEs cap-std1 CVEs lucet1 CVEs rustix1 CVEs

All bytecodealliance vulnerabilities

Frequently asked questions

Common questions about bytecodealliance wasmtime vulnerabilities.

How many CVEs does bytecodealliance wasmtime have?

bytecodealliance wasmtime has 41 published CVE records since 2021.

How many bytecodealliance wasmtime CVEs are in CISA KEV?

None of bytecodealliance wasmtime's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Are there public exploits for bytecodealliance wasmtime vulnerabilities?

Yes — 2 of bytecodealliance wasmtime's CVEs have a known public exploit.

Which versions of bytecodealliance wasmtime are affected?

203 distinct bytecodealliance wasmtime versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in bytecodealliance wasmtime CVEs?

bytecodealliance wasmtime's CVEs most often map to these CWE weakness types: CWE-787 (Out-of-bounds Write), CWE-416 (Use After Free), CWE-125 (Out-of-bounds Read), CWE-770 (Allocation of Resources Without Limits or Throttling).

How many critical bytecodealliance wasmtime vulnerabilities are there?

bytecodealliance wasmtime has 3 critical and 4 high-severity CVEs.

What is the average severity of bytecodealliance wasmtime CVEs?

The average CVSS base score across bytecodealliance wasmtime's scored CVEs is 5.2.

References

All bytecodealliance vulnerabilities
The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track bytecodealliance wasmtime vulnerabilities

Monitor new bytecodealliance wasmtime vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Affected versions and CVEs
Common weakness types
Disclosure activity
Other products
FAQ
References

a528e0383e1177119a6c985dac1972513df11a033 CVEs

b39f087414f27ae40c44449ed5d1154e03449bff3 CVEs

d938a9df47c8e62014c1a12571547411ede6ff5e3 CVEs

dc38c5b110862df44e9934ec90dc45e875f188353 CVEs

0.38.12 CVEs

21359a8ca3d4d885b9edc886fb388410e7e1f87e2 CVEs

24.0.62 CVEs

36.0.62 CVEs

4.0.12 CVEs

52a565bb9d8ae2f8652171fc0e7b3e81e2a3f4f42 CVEs

6e4dbe359a335dd74d9a6cf88146a94c901497af2 CVEs

70ceccd40ecf882908571933b996690f359f00212 CVEs

72bedc12e00084fdf49f7d4f5d40b979c184b0a52 CVEs

8043c1f919a77905255eded33e4e51a6fbfd1de12 CVEs

eb421594ea75049c8351a932506f671260f670e62 CVEs

f18f06e6dea00a78c06913061d952b26ed700b922 CVEs

f2054e0911f55af50686bee4da39d15308e14aec2 CVEs

0.33.11 CVE

0.34.21 CVE

0.35.21 CVE

0.38.21 CVE

00fd7bc4d1ce64feb3ca82161216721b740ec5711 CVE

06ef14387760e52371fb68d4b30baf22fd5760751 CVE

10.0.21 CVE

11.0.21 CVE

12.0.21 CVE

15991947f485a60298e45d1d915125c0f3cc5a8a1 CVE

17d037f93c6afe6ae997d6f0bf792c29f56a3da71 CVE

192f2fcdadfec9d0cf6b58548a85a7307450cbf51 CVE

1fa25caeef80b0baabe15bdabaa03d14458db0da1 CVE

24.0.21 CVE

24.0.41 CVE

29b67c0e8a6fb75184c3b60709a7105988b4d1c11 CVE

2d29546c3a0dce48294285b5dee3e8198eb5d2f11 CVE

33.0.21 CVE

34.0.21 CVE

36.0.51 CVE

36.0.81 CVE

38.0.31 CVE

38524ca8e9f37c8a673041ff6a6b4574c91cf1021 CVE

390241fbf9736f3698f07cf0b0add73b752fe66c1 CVE

40.0.31 CVE

41.0.11 CVE

43.0.21 CVE

4c22e15bade0a8590d8272f5be85426cb134601b1 CVE

55fa924960710aac906a0547d158d0fde960ddad1 CVE

59bfe50acaffd69f267946d35abe9f87a3b07e291 CVE

5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d11 CVE

6.0.21 CVE

63fb30e4b4415455d47b3da5a19d79c12f4f2d1f1 CVE

79a5d2ac52ea76e47265c46a77d329ca0e6839c91 CVE

7a95dd3259f40707966445e9c32d8e1a3bf9b3261 CVE

7f57d0bb0948fa56cc950278d0db230ed10e86641 CVE

94c223fa694a33bf2eec429e91c8114660d28c571 CVE

95559c01aaa7c061088a433040f31e8291fb09d01 CVE

9e2adfb34531610d691f74dd3f559bc5b800eb021 CVE

c29a9bb9e23b48a95b0a03f3b90f885ab1252a931 CVE

d9dc16b28c36609f9f1e08be3f9e8b799eafd59c1 CVE

ed0d2fec1990469bff2b0346a3ba929f77a663bd1 CVE

ef7b9b75735370ca32d9ec98bdd2e0dfee99e11d1 CVE

fb88a749bb1224290db5b99ebe4831bae3be93d11 CVE