pkg:crates.io/wasmtime

79 total CVEsCRITICAL6HIGH18MEDIUM33LOW16

✅ Check your installed version

All known vulnerabilities

CRITICAL10.0CVE-2024-51745Wasmtime doesn't fully sandbox all the Windows device filenames
>= 0.0.0-0, < 24.0.2, >= 25.0.0, < 25.0.3, >= 26.0.0, < 26.0.1
CRITICAL10.0CVE-2024-51745Wasmtime doesn't fully sandbox all the Windows device filenames
from 0, < 24.0.2
CRITICAL9.9CVE-2026-34987Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access
>= 25.0.0, < 36.0.7
CRITICAL9.9CVE-2026-34987Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access
>= 0.0.0-0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
CRITICAL9.9CVE-2023-26489wasmtime vulnerable to guest-controlled out-of-bounds read/write on x86_64
>= 0.0.0-0, < 4.0.1, >= 5.0.0, < 5.0.1, >= 6.0.0, < 6.0.1
CRITICAL9.9CVE-2023-26489wasmtime vulnerable to guest-controlled out-of-bounds read/write on x86_64
>= 0.37.0, < 4.0.1
HIGH8.6CVE-2022-39393Wasmtime may have data leakage between instances in the pooling allocator
>= 0.0.0-0, < 1.0.2, >= 2.0.0, < 2.0.2
HIGH8.6CVE-2022-39393Wasmtime may have data leakage between instances in the pooling allocator
>= 0.0.0-0, < 1.0.2, >= 2.0.0, < 2.0.2
HIGH8.6CVE-2022-39393Wasmtime may have data leakage between instances in the pooling allocator
>= 2.0.0, < 2.0.2
HIGH8.1CVE-2026-34941Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
>= 0.0.0-0, < 24.0.7, >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
HIGH8.1CVE-2026-34941Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
from 0, < 24.0.7
HIGH8.1CVE-2022-24791Use after free in Wasmtime
>= 0.0.0-0, < 0.34.2, >= 0.35.0, < 0.35.2
HIGH8.1CVE-2022-24791Use after free in Wasmtime
from 0, < 0.34.2
HIGH8.1CVE-2022-24791Use after free in Wasmtime
>= 0.34.0, < 0.34.2, >= 0.35.0, < 0.35.2
HIGH7.8CVE-2026-34971Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
>= 0.0.0-0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
HIGH7.8CVE-2026-34971Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
>= 32.0.0, < 36.0.7
HIGH7.5CVE-2026-44216Panic when allocating a table exceeding the size of the host's address space
>= 30.0.0, < 36.0.8
HIGH7.5CVE-2026-44216Panic when allocating a table exceeding the size of the host's address space
>= 30.0.0, < 36.0.8, >= 37.0.0, < 43.0.2, >= 44.0.0, < 44.0.1
HIGH7.5CVE-2026-34946Wasmtime has host panic when Winch compiler executes `table.fill`
>= 0.0.0-0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
HIGH7.5CVE-2026-34946Wasmtime has host panic when Winch compiler executes `table.fill`
>= 25.0.0, < 36.0.7
HIGH7.5CVE-2026-34943Wasmtime has a possible panic when lifting `flags` component value
from 0, < 24.0.7
HIGH7.5CVE-2026-34943Wasmtime has a possible panic when lifting `flags` component value
>= 0.0.0-0, < 24.0.7, >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
HIGH7.5CVE-2026-27572Panic adding excessive fields to a `wasi:http/types.fields` instance
from 0, < 24.0.6
HIGH7.5CVE-2026-27572Panic adding excessive fields to a `wasi:http/types.fields` instance
>= 0.0.0-0, < 24.0.6, >= 25.0.0, < 36.0.6, >= 37.0.0, < 40.0.4, >= 41.0.0, < 41.0.4
MEDIUM6.5CVE-2026-34945Wasmtime has host data leakage with 64-bit tables and Winch
>= 0.0.0-0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
MEDIUM6.5CVE-2026-34945Wasmtime has host data leakage with 64-bit tables and Winch
>= 25.0.0, < 36.0.7
MEDIUM6.5CVE-2026-34942Wasmtime: Panic when transcoding misaligned utf-16 strings
from 0, < 24.0.7
MEDIUM6.5CVE-2026-34942Wasmtime: Panic when transcoding misaligned utf-16 strings
>= 0.0.0-0, < 24.0.7, >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
MEDIUM6.5CVE-2026-27204Guest-controlled resource exhaustion in WASI implementations
from 0, < 24.0.6
MEDIUM6.5CVE-2026-27204Guest-controlled resource exhaustion in WASI implementations
>= 0.0.0-0, < 24.0.6, >= 25.0.0, < 36.0.6, >= 37.0.0, < 40.0.4, >= 41.0.0, < 41.0.4
MEDIUM6.4CVE-2022-31146Wasmtime vulnerable to Use After Free with `externref`s
>= 0.37.0, < 0.38.2
MEDIUM6.4CVE-2022-31146Wasmtime vulnerable to Use After Free with `externref`s
>= 0.0.0-0, < 0.38.2
MEDIUM6.3CVE-2026-34988Data leakage between pooling allocator instances
>= 0.0.0-0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
MEDIUM6.3CVE-2026-34988Data leakage between pooling allocator instances
>= 28.0.0, < 36.0.7
MEDIUM6.3CVE-2021-39216Wrong type for `Linker`-define functions when used across two `Engine`s
>= 0.26.0, < 0.30.0
MEDIUM6.3CVE-2021-39216Wrong type for `Linker`-define functions when used across two `Engine`s
from 0, < 0.30.0
MEDIUM6.3CVE-2021-39216Wrong type for `Linker`-define functions when used across two `Engine`s
from 0, < 0.30.0
MEDIUM6.3CVE-2021-39216Wrong type for `Linker`-define functions when used across two `Engine`s
>= 0.0.0-0, < 0.30.0
MEDIUM5.9CVE-2022-39392Wasmtime out of bounds read/write with zero-memory-pages configuration
>= 0.0.0-0, < 1.0.2, >= 2.0.0, < 2.0.2
MEDIUM5.9CVE-2022-39392Wasmtime out of bounds read/write with zero-memory-pages configuration
>= 0.0.0-0, < 1.0.2, >= 2.0.0, < 2.0.2
MEDIUM5.9CVE-2022-39392Wasmtime out of bounds read/write with zero-memory-pages configuration
>= 2.0.0, < 2.0.2
MEDIUM5.9CVE-2022-23636Miscompilation of constant values in division on AArch64
>= 0.0.0-0, < 0.33.1, >= 0.34.0, < 0.34.1
MEDIUM5.9CVE-2022-23636Miscompilation of constant values in division on AArch64
from 0, < 0.38.2
MEDIUM5.9CVE-2022-23636Miscompilation of constant values in division on AArch64
>= 0.34.0, < 0.34.1
MEDIUM5.9CVE-2022-23636Miscompilation of constant values in division on AArch64
>= 0.0.0-0, < 0.38.2
MEDIUM5.7CVE-2026-34944Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
from 0, < 24.0.7
MEDIUM5.7CVE-2026-34944Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
>= 0.0.0-0, < 24.0.7, >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
MEDIUM5.5CVE-2026-24116Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64
>= 29.0.0, < 36.0.5, >= 37.0.0, < 40.0.3, >= 41.0.0, < 41.0.1
MEDIUM5.5CVE-2026-24116Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64
>= 29.0.0, < 36.0.5
MEDIUM5.5CVE-2024-47763Runtime crash when combining tail calls with stack traces
>= 21.0.0, < 21.0.2, >= 22.0.0, < 22.0.1, >= 23.0.0, < 23.0.3, >= 24.0.0, < 24.0.1, >= 25.0.0, < 25.0.2
MEDIUM5.5CVE-2024-47763Runtime crash when combining tail calls with stack traces
>= 12.0.0, < 21.0.2
MEDIUM5.4CVE-2026-35195Out-of-bounds write or crash when transcoding component model strings
>= 0.0.0-0, < 24.0.7, >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
MEDIUM5.4CVE-2026-35195Out-of-bounds write or crash when transcoding component model strings
from 0, < 24.0.7
MEDIUM5.0CVE-2026-34983Use-after-free bug after cloning `wasmtime::Linker`
>= 43.0.0, < 43.0.1
MEDIUM5.0CVE-2026-34983Use-after-free bug after cloning `wasmtime::Linker`
>= 43.0.0, < 43.0.1
MEDIUM4.8CVE-2022-31104Miscompilation of `i8x16.swizzle` and `select` with v128 inputs
>= 0.0.0-0, < 0.38.1
MEDIUM4.8CVE-2022-31104Miscompilation of `i8x16.swizzle` and `select` with v128 inputs
from 0, < 0.38.1
LOW3.9CVE-2023-30624Undefined Behavior in Rust runtime functions
>= 0.0.0-0, < 6.0.2, >= 7.0.0, < 7.0.1, >= 8.0.0, < 8.0.1
LOW3.9CVE-2023-30624Undefined Behavior in Rust runtime functions
from 0, < 6.0.2
LOW3.8CVE-2022-39394wasmtime_trap_code C API function has out of bounds write vulnerability
>= 0.0.0-0, < 1.0.2, >= 2.0.0, < 2.0.2
LOW3.8CVE-2022-39394wasmtime_trap_code C API function has out of bounds write vulnerability
>= 2.0.0, < 2.0.2
LOW3.5CVE-2025-53901Host panic with `fd_renumber` WASIp1 function
>= 10.0.0, < 24.0.4, >= 25.0.0, < 33.0.2, >= 34.0.0, < 34.0.2
LOW3.5CVE-2025-53901Host panic with `fd_renumber` WASIp1 function
>= 10.0.0, < 24.0.4
LOW3.3CVE-2024-30266Panic when using a dropped extenref-typed element segment
>= 19.0.0, < 19.0.1
LOW3.3CVE-2024-30266Panic when using a dropped extenref-typed element segment
>= 19.0.0, < 19.0.1
LOW3.1CVE-2023-27477wasmtime vulnerable to miscompilation of `i8x16.select` with the same inputs on x86_64
>= 1.0.0, < 4.0.1
LOW3.1CVE-2023-27477wasmtime vulnerable to miscompilation of `i8x16.select` with the same inputs on x86_64
>= 0.0.0-0, < 4.0.1, >= 5.0.0, < 5.0.1, >= 6.0.0, < 6.0.1
LOW2.9CVE-2024-47813Race condition could lead to WebAssembly control-flow integrity and type safety violations
>= 19.0.0, < 21.0.2
LOW2.9CVE-2024-47813Race condition could lead to WebAssembly control-flow integrity and type safety violations
>= 19.0.0, < 21.0.2, >= 22.0.0, < 22.0.1, >= 23.0.0, < 23.0.3, >= 24.0.0, < 24.0.1, >= 25.0.0, < 25.0.2
LOW2.2CVE-2023-41880Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86\_64
>= 10.0.0, < 10.0.2
LOW2.2CVE-2023-41880Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86\_64
>= 0.0.0-0, < 10.0.2, >= 11.0.0, < 11.0.2, >= 12.0.0, < 12.0.2
LOW1.8CVE-2025-64345Unsound API access to a WebAssembly shared linear memory
>= 0.0.0-0, < 24.0.5, >= 25.0.0, < 36.0.3, >= 37.0.0, < 37.0.3, >= 38.0.0, < 38.0.4
LOW1.8CVE-2025-64345Unsound API access to a WebAssembly shared linear memory
>= 38.0.0, < 38.0.4
—CVE-2026-35186Improperly masked return value from `table.grow` with Winch compiler backend
>= 0.0.0-0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 43.0.1
—CVE-2026-35186Improperly masked return value from `table.grow` with Winch compiler backend
>= 25.0.0, < 36.0.7
—CVE-2026-27195Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
>= 39.0.0, < 40.0.4, >= 41.0.0, < 41.0.4
—CVE-2026-27195Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
>= 39.0.0, < 40.0.4
—CVE-2025-62711Wasmtime vulnerable to segfault when using component resources
>= 38.0.0, < 38.0.3
—CVE-2025-62711Wasmtime vulnerable to segfault when using component resources
>= 38.0.0, < 38.0.3