Search for packages
| purl | pkg:cargo/wasmtime@25.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12d3-3scc-d3as
Aliases: CVE-2026-34946 GHSA-q49f-xg75-m9xw |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-1k85-pygw-xfat
Aliases: CVE-2026-34943 GHSA-m758-wjhj-p3jq |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-2m6r-ymr5-yydu
Aliases: CVE-2026-27572 GHSA-243v-98vx-264h |
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-53h8-6zx3-j3a2
Aliases: CVE-2026-34945 GHSA-m9w2-8782-2946 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-6us3-f3cj-u3ez
Aliases: CVE-2026-34944 GHSA-qqfj-4vcm-26hv |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-b3zm-e7q5-rqdp
Aliases: CVE-2024-47763 GHSA-q8hx-mm92-4wvg PYSEC-2024-312 RUSTSEC-2024-0440 |
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations. The specific crash happens when an exported function in a WebAssembly module (or component) performs a `return_call` (or `return_call_indirect` or `return_call_ref`) to an imported host function which captures a stack trace (for example, the host function raises a trap). In this situation, the stack-walking code previously assumed there was always at least one WebAssembly frame on the stack but with tail calls that is no longer true. With the tail-call proposal it's possible to have an entry trampoline appear as if it directly called the exit trampoline. This situation triggers an internal assert in the stack-walking code which raises a Rust `panic!()`. When Wasmtime is compiled with Rust versions 1.80 and prior this means that an `extern "C"` function in Rust is raising a `panic!()`. This is technically undefined behavior and typically manifests as a process abort when the unwinder fails to unwind Cranelift-generated frames. When Wasmtime is compiled with Rust versions 1.81 and later this panic becomes a deterministic process abort. Overall the impact of this issue is that this is a denial-of-service vector where a malicious WebAssembly module or component can cause the host to crash. There is no other impact at this time other than availability of a service as the result of the crash is always a crash and no more. This issue was discovered by routine fuzzing performed by the Wasmtime project via Google's OSS-Fuzz infrastructure. We have no evidence that it has ever been exploited by an attacker in the wild. All versions of Wasmtime which have tail calls enabled by default have been patched: * 21.0.x - patched in 21.0.2 * 22.0.x - patched in 22.0.1 * 23.0.x - patched in 23.0.3 * 24.0.x - patched in 24.0.1 * 25.0.x - patched in 25.0.2. Wasmtime versions from 12.0.x (the first release with experimental tail call support) to 20.0.x (the last release with tail-calls off-by-default) have support for tail calls but the support is disabled by default. These versions are not affected in their default configurations, but users who explicitly enabled tail call support will need to either disable tail call support or upgrade to a patched version of Wasmtime. The main workaround for this issue is to disable tail support for tail calls in Wasmtime, for example with `Config::wasm_tail_call(false)`. Users are otherwise encouraged to upgrade to patched versions. |
Affected by 0 other vulnerabilities. |
|
VCID-er33-2cqe-jkhm
Aliases: CVE-2026-34942 GHSA-jxhv-7h78-9775 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-j92q-zqxf-4qby
Aliases: CVE-2024-47813 GHSA-7qmx-3fpx-r45m PYSEC-2024-311 RUSTSEC-2024-0439 |
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release. |
Affected by 0 other vulnerabilities. |
|
VCID-kqy3-94u1-4kc4
Aliases: CVE-2026-35186 GHSA-f984-pcp8-v2p7 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-svnx-p11j-h7e7
Aliases: CVE-2026-27204 GHSA-852m-cvvp-9p4w |
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-t58z-rn3r-17hy
Aliases: CVE-2026-34987 GHSA-xx5w-cvp6-jv83 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-u3yt-mrz8-6faa
Aliases: CVE-2026-35195 GHSA-394w-hwhg-8vgm |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-vcmk-n4b5-6yc3
Aliases: CVE-2026-34941 GHSA-hx6p-xpx3-jvvv |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-13T06:28:59.298538+00:00 | GHSA Importer | Affected by | VCID-kqy3-94u1-4kc4 | https://github.com/advisories/GHSA-f984-pcp8-v2p7 | 38.6.0 |
| 2026-06-13T06:28:59.171169+00:00 | GHSA Importer | Affected by | VCID-t58z-rn3r-17hy | https://github.com/advisories/GHSA-xx5w-cvp6-jv83 | 38.6.0 |
| 2026-06-13T06:28:55.065993+00:00 | GHSA Importer | Affected by | VCID-u3yt-mrz8-6faa | https://github.com/advisories/GHSA-394w-hwhg-8vgm | 38.6.0 |
| 2026-06-13T06:28:54.731808+00:00 | GHSA Importer | Affected by | VCID-12d3-3scc-d3as | https://github.com/advisories/GHSA-q49f-xg75-m9xw | 38.6.0 |
| 2026-06-13T06:28:54.627062+00:00 | GHSA Importer | Affected by | VCID-53h8-6zx3-j3a2 | https://github.com/advisories/GHSA-m9w2-8782-2946 | 38.6.0 |
| 2026-06-13T06:28:54.493024+00:00 | GHSA Importer | Affected by | VCID-6us3-f3cj-u3ez | https://github.com/advisories/GHSA-qqfj-4vcm-26hv | 38.6.0 |
| 2026-06-13T06:28:54.363983+00:00 | GHSA Importer | Affected by | VCID-1k85-pygw-xfat | https://github.com/advisories/GHSA-m758-wjhj-p3jq | 38.6.0 |
| 2026-06-13T06:28:54.201712+00:00 | GHSA Importer | Affected by | VCID-er33-2cqe-jkhm | https://github.com/advisories/GHSA-jxhv-7h78-9775 | 38.6.0 |
| 2026-06-13T06:28:54.098683+00:00 | GHSA Importer | Affected by | VCID-vcmk-n4b5-6yc3 | https://github.com/advisories/GHSA-hx6p-xpx3-jvvv | 38.6.0 |
| 2026-06-11T20:38:18.596248+00:00 | GHSA Importer | Affected by | VCID-2m6r-ymr5-yydu | https://github.com/advisories/GHSA-243v-98vx-264h | 38.6.0 |
| 2026-06-11T20:38:18.518766+00:00 | GHSA Importer | Affected by | VCID-svnx-p11j-h7e7 | https://github.com/advisories/GHSA-852m-cvvp-9p4w | 38.6.0 |
| 2026-06-11T20:36:11.678357+00:00 | GHSA Importer | Affected by | VCID-j92q-zqxf-4qby | https://github.com/advisories/GHSA-7qmx-3fpx-r45m | 38.6.0 |
| 2026-06-11T20:36:11.464994+00:00 | GHSA Importer | Affected by | VCID-b3zm-e7q5-rqdp | https://github.com/advisories/GHSA-q8hx-mm92-4wvg | 38.6.0 |