Search for packages
| purl | pkg:cargo/wasmtime@37.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12d3-3scc-d3as
Aliases: CVE-2026-34946 GHSA-q49f-xg75-m9xw |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-1k85-pygw-xfat
Aliases: CVE-2026-34943 GHSA-m758-wjhj-p3jq |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-2m6r-ymr5-yydu
Aliases: CVE-2026-27572 GHSA-243v-98vx-264h |
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime. |
Affected by 0 other vulnerabilities. |
|
VCID-53h8-6zx3-j3a2
Aliases: CVE-2026-34945 GHSA-m9w2-8782-2946 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-6us3-f3cj-u3ez
Aliases: CVE-2026-34944 GHSA-qqfj-4vcm-26hv |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-d32d-dqr8-q3dn
Aliases: CVE-2026-24116 GHSA-vc8c-j3xm-xj73 |
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-er33-2cqe-jkhm
Aliases: CVE-2026-34942 GHSA-jxhv-7h78-9775 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-jx2n-db65-hubp
Aliases: CVE-2026-44216 GHSA-p8xm-42r7-89xg |
Affected by 0 other vulnerabilities. |
|
|
VCID-kqy3-94u1-4kc4
Aliases: CVE-2026-35186 GHSA-f984-pcp8-v2p7 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-qqwv-ra7z-v3df
Aliases: CVE-2026-34971 GHSA-jhxm-h53p-jm7w |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-rx33-aa4d-mudk
Aliases: CVE-2025-64345 GHSA-hc7m-r6v8-hg9q |
Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-svnx-p11j-h7e7
Aliases: CVE-2026-27204 GHSA-852m-cvvp-9p4w |
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue. |
Affected by 0 other vulnerabilities. |
|
VCID-t58z-rn3r-17hy
Aliases: CVE-2026-34987 GHSA-xx5w-cvp6-jv83 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-u3yt-mrz8-6faa
Aliases: CVE-2026-35195 GHSA-394w-hwhg-8vgm |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-vcmk-n4b5-6yc3
Aliases: CVE-2026-34941 GHSA-hx6p-xpx3-jvvv |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-xzfa-qwym-p7gt
Aliases: CVE-2026-34988 GHSA-6wgr-89rj-399p |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-13T06:30:01.000634+00:00 | GHSA Importer | Affected by | VCID-jx2n-db65-hubp | https://github.com/advisories/GHSA-p8xm-42r7-89xg | 38.6.0 |
| 2026-06-13T06:28:59.331556+00:00 | GHSA Importer | Affected by | VCID-kqy3-94u1-4kc4 | https://github.com/advisories/GHSA-f984-pcp8-v2p7 | 38.6.0 |
| 2026-06-13T06:28:59.203616+00:00 | GHSA Importer | Affected by | VCID-t58z-rn3r-17hy | https://github.com/advisories/GHSA-xx5w-cvp6-jv83 | 38.6.0 |
| 2026-06-13T06:28:55.099244+00:00 | GHSA Importer | Affected by | VCID-u3yt-mrz8-6faa | https://github.com/advisories/GHSA-394w-hwhg-8vgm | 38.6.0 |
| 2026-06-13T06:28:55.004476+00:00 | GHSA Importer | Affected by | VCID-xzfa-qwym-p7gt | https://github.com/advisories/GHSA-6wgr-89rj-399p | 38.6.0 |
| 2026-06-13T06:28:54.839726+00:00 | GHSA Importer | Affected by | VCID-qqwv-ra7z-v3df | https://github.com/advisories/GHSA-jhxm-h53p-jm7w | 38.6.0 |
| 2026-06-13T06:28:54.699457+00:00 | GHSA Importer | Affected by | VCID-12d3-3scc-d3as | https://github.com/advisories/GHSA-q49f-xg75-m9xw | 38.6.0 |
| 2026-06-13T06:28:54.592856+00:00 | GHSA Importer | Affected by | VCID-53h8-6zx3-j3a2 | https://github.com/advisories/GHSA-m9w2-8782-2946 | 38.6.0 |
| 2026-06-13T06:28:54.556350+00:00 | GHSA Importer | Affected by | VCID-6us3-f3cj-u3ez | https://github.com/advisories/GHSA-qqfj-4vcm-26hv | 38.6.0 |
| 2026-06-13T06:28:54.427626+00:00 | GHSA Importer | Affected by | VCID-1k85-pygw-xfat | https://github.com/advisories/GHSA-m758-wjhj-p3jq | 38.6.0 |
| 2026-06-13T06:28:54.237756+00:00 | GHSA Importer | Affected by | VCID-er33-2cqe-jkhm | https://github.com/advisories/GHSA-jxhv-7h78-9775 | 38.6.0 |
| 2026-06-13T06:28:54.132279+00:00 | GHSA Importer | Affected by | VCID-vcmk-n4b5-6yc3 | https://github.com/advisories/GHSA-hx6p-xpx3-jvvv | 38.6.0 |
| 2026-06-11T20:38:18.613650+00:00 | GHSA Importer | Affected by | VCID-2m6r-ymr5-yydu | https://github.com/advisories/GHSA-243v-98vx-264h | 38.6.0 |
| 2026-06-11T20:38:18.559462+00:00 | GHSA Importer | Affected by | VCID-svnx-p11j-h7e7 | https://github.com/advisories/GHSA-852m-cvvp-9p4w | 38.6.0 |
| 2026-06-11T20:37:39.723424+00:00 | GHSA Importer | Affected by | VCID-d32d-dqr8-q3dn | https://github.com/advisories/GHSA-vc8c-j3xm-xj73 | 38.6.0 |
| 2026-06-11T20:36:45.709703+00:00 | GHSA Importer | Affected by | VCID-rx33-aa4d-mudk | https://github.com/advisories/GHSA-hc7m-r6v8-hg9q | 38.6.0 |