UBUNTU-CVE-2026-44216 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2026-44216

HIGH7.8

Published May 14, 2026

Modified 3 weeks ago

Details

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables can have sizes in the 64-bit range as opposed to the previous 32-bit range which would not overflow. The panic happens when attempting to create a very large table, such as when instantiating a WebAssembly module or component. This vulnerability is fixed in 36.0.8, 43.0.2, and 44.0.1.

Affected Packages

rust-wasmtime

Ubuntu 24.04 LTS

Affected versions:

10.0.1+dfsg-715.0.1+dfsg-416.0.0+dfsg-216.0.0+dfsg-3

rust-wasmtime

Ubuntu 25.10

Affected versions:

26.0.1+dfsg-3

rust-wasmtime

Ubuntu 26.04 LTS

Affected versions:

26.0.1+dfsg-326.0.1+dfsg-428.0.1+dfsg-329.0.1+dfsg-536.0.5+dfsg-1

References

REPORT

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg

REPORT

https://ubuntu.com/security/CVE-2026-44216

REPORT

https://www.cve.org/CVERecord?id=CVE-2026-44216

CVSS Analysis

CVSS v4.0

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

PresentAT:P

Privileges Required

LowPR:L

User Interaction

PassiveUI:P

Vulnerable System

Vuln. Confidentiality

NoneVC:N

Vuln. Integrity

NoneVI:N

Vuln. Availability

HighVA:H

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Upstream

CVE-2026-44216

Ecosystems

Ubuntu 24.04 LTS Ubuntu 25.10 Ubuntu 26.04 LTS

Timeline

PublishedMay 14, 2026

ModifiedMay 14, 2026