CVE-2026-34943
Panic Vulnerability in Wasmtime Flags-Typed Component Causes DoS
Publication date: 2026-04-09
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | wasmtime | to 24.0.7 (exc) |
| bytecodealliance | wasmtime | From 25.0.0 (inc) to 36.0.7 (exc) |
| bytecodealliance | wasmtime | From 37.0.0 (inc) to 42.0.2 (exc) |
| bytecodealliance | wasmtime | From 43.0.0 (inc) to 43.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34943 causes a potential Denial of Service (DoS) due to a panic in Wasmtime when handling certain flags-typed component model values. However, the vulnerability does not impact confidentiality or integrity of data.
Since there is no impact on confidentiality or integrity, this vulnerability does not directly affect compliance with data protection standards and regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.
Nevertheless, the availability impact (DoS) could indirectly affect compliance if system availability is a regulatory requirement, but no explicit connection to such standards is stated.
Can you explain this vulnerability to me?
CVE-2026-34943 is a vulnerability in the Wasmtime runtime for WebAssembly that occurs when a flags-typed component model value is lifted into the Val type. According to the component model specification, bits set outside the defined set of flags should be ignored, but Wasmtime incorrectly triggers a panic if such bits are present during this lifting process.
This panic only happens in Wasmtime's implementation of lifting into Val and does not affect the use of the flags! macro. It specifically affects flags-typed values that are part of a WebAssembly Interface Types (WIT) interface.
The vulnerability allows a guest-controlled panic within the host environment, which Wasmtime considers a Denial of Service (DoS) vector. There is no known workaround other than upgrading to patched versions.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition in the host environment running Wasmtime. Specifically, if a guest provides flags-typed values with bits set outside the allowed set, Wasmtime will panic during the lifting process, potentially crashing or disrupting the host.
The impact is limited to availability, with no effect on confidentiality or integrity. However, the DoS can interrupt services relying on Wasmtime, causing downtime or degraded performance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs specifically when Wasmtime lifts a flags-typed component model value into the Val type and encounters bits set outside the defined set of flags, causing a panic. Detection would involve monitoring Wasmtime runtime behavior for panic events related to component model value lifting.
There are no specific commands or automated detection tools mentioned for identifying this vulnerability on a network or system.
To detect potential exploitation, you could monitor Wasmtime logs or runtime output for panic messages triggered by invalid flags-typed values in WIT interfaces.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wasmtime to one of the patched versions that fix this vulnerability: 24.0.7, 36.0.7, 42.0.2, or 43.0.1.
There is no known workaround for hosts using wasmtime::component::Val with flags types in the component model.
Upgrading to a fixed version is strongly advised to prevent potential guest-controlled panics that could lead to Denial of Service (DoS).