bytecodealliance

Top products

The 15 most recently published vulnerabilities affecting bytecodealliance.

• CVE-2026-47261Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction7.5Jun 15, 2026
• CVE-2026-44216Wasmtime: Panic when allocating a table exceeding the size of the host's address space7.5May 14, 2026
• CVE-2026-35195Wasmtime has an out-of-bounds write or crash when transcoding component model strings5.4Apr 9, 2026
• CVE-2026-35186Wasmtime has an improperly masked return value from `table.grow` with Winch compiler backend7.5Apr 9, 2026
• CVE-2026-34988Wasmtime leaks data between pooling allocator instances6.3Apr 9, 2026
• CVE-2026-34987Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access9.9Apr 9, 2026
• CVE-2026-34983Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`5.0Apr 9, 2026
• CVE-2026-34971Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift7.8Apr 9, 2026
• CVE-2026-34946Wasmtime's host panics when Winch compiler executes `table.fill`7.5Apr 9, 2026
• CVE-2026-34945Wasmtime leaks host data with 64-bit tables and Winch6.5Apr 9, 2026
• CVE-2026-34944Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-645.7Apr 9, 2026
• CVE-2026-34943Wasmtime panics when lifting `flags` component value7.5Apr 9, 2026
• CVE-2026-34942Wasmtime panics when transcoding misaligned utf-16 strings6.5Apr 9, 2026
• CVE-2026-34941Wasmtime has a Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding8.1Apr 9, 2026
• CVE-2026-27572Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance7.5Feb 24, 2026