Wasmtine CVE-2025-4416: DoS via Table Allocation Arithmetic Overflow

Vulnerability Overview Title: Panic when allocating a table exceeding the size of the host's address space CVE ID: CVE-2025-4416 Severity: 5.9 / 10 (Moderate) Published by: alexechrixton (3 weeks ago) Description: Wasmtine's WebAssembly table allocation logic contains a check that causes a panic upon arithmetic overflow. This overflow can be triggered and may occur when allocating a table with an extremely large size. This might be related to the WebAssembly memory4 proposal, which allows table sizes within a 64-bit range, whereas the previous 32-bit range would not overflow. The panic occurs when attempting to create a very large table, such as during the instantiation of a WebAssembly module or component. Impact: This bug does not affect the pool allocator that limits table size, as it restricts table sizes to amounts far smaller than what is needed to trigger the overflow. This bug only exists in the on-demand instance allocator, which is Wasmtine's default allocator. This bug also requires the memory4 WebAssembly feature to be enabled, which is not enabled by default. A panic in the host process is considered a Denial of Service (DoS) vector for Wasmtine. Affected Scope: Affected Versions: >= 30.0.0, = 37.0.0, <= 43.0.1, 44.0.0 Fixed Versions: 36.0.8, 43.0.2, 44.0.1 Fix: Wasmtine versions 36.0.8, 43.0.2, and 44.0.1 have been released to address this issue. Workaround: Embedders can switch to using the pool allocator to bypass this issue, or disable the memory4 WebAssembly proposal. Otherwise, users are advised to upgrade.

Goal Reached Thanks to every supporter — we hit 100%!

Wasmtine CVE-2025-4416: DoS via Table Allocation Arithmetic Overflow

More from this source