Upcoming Security Release for Wasmtime on 2026-04-09
34 views
Skip to first unread message
Alex Crichton
Apr 6, 2026, 2:02:41 PM (13 days ago) Apr 6
to sec-an...@bytecodealliance.org
The Wasmtime project would like to announce a forthcoming security release of Wasmtime.
The release will be made available on 2026-04-09 at approximately 18:00 UTC. Additionally, an advisory will be made available on the same date and time at https://github.com/advisories.
The highest severity issue fixed in this release is CRITICAL based on the classification scheme defined by CVSS.
The release will be made available on 2026-04-09 at approximately 18:00 UTC. Additionally, an advisory will be made available on the same date and time at https://github.com/advisories.
The highest severity issue fixed in this release is CRITICAL based on the classification scheme defined by CVSS.
Alex Crichton
Apr 9, 2026, 1:04:57 PM (10 days ago) Apr 9
to sec-an...@bytecodealliance.org
[Update 2026-04-09] Security releases available
Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 are now available on crates.io. Additionally, binary releases are available on Github for the Wasmtime C-API shared library and CLI at https://github.com/bytecodealliance/wasmtime/releases. This security release fixes 12 advisories documented below and there is more information available at https://bytecodealliance.org/articles/wasmtime-security-advisories.
These releases fix the following security issues rated CRITICAL:
Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 are now available on crates.io. Additionally, binary releases are available on Github for the Wasmtime C-API shared library and CLI at https://github.com/bytecodealliance/wasmtime/releases. This security release fixes 12 advisories documented below and there is more information available at https://bytecodealliance.org/articles/wasmtime-security-advisories.
These releases fix the following security issues rated CRITICAL:
Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access
These releases fix the following security issues rated MODERATE:
Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
Out-of-bounds write or crash when transcoding component model strings
Host panic when Winch compiler executes `table.fill`
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64
Improperly masked return value from `table.grow` with Winch compiler backend
Panic when transcoding misaligned component model UTF-16 strings
Panic when lifting `flags` component value
These releases fix the following security issues rated LOW:
Host data leakage with 64-bit tables and Winch
Data leakage between pooling allocator instances
Use-after-free bug after cloning `wasmtime::Linker`
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2
Reply all
Reply to author
Forward
0 new messages