CVE Vulnerabilities

CVE-2026-34943

Uncaught Exception

Published: Apr 09, 2026 | Modified: Jun 17, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtimes implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

Weakness

An exception is thrown from a function, but it is not caught.

Affected Software

NameVendorStart VersionEnd Version
WasmtimeBytecodealliance*24.0.7 (excluding)
WasmtimeBytecodealliance25.0.0 (including)36.0.7 (excluding)
WasmtimeBytecodealliance37.0.0 (including)42.0.2 (excluding)
WasmtimeBytecodealliance43.0.0 (including)43.0.1 (excluding)
Rust-wasmtimeUbuntuquesting*

References