Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

bytecodealliance — Vulnerabilities & Security Advisories 48

Browse all 48 CVE security advisories affecting bytecodealliance. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Bytecode Alliance is a consortium focused on developing safe, open-source systems programming tools, most notably the WebAssembly System Interface (WASI) and the Cranelift compiler. Its primary objective is enabling secure, portable execution of untrusted code within sandboxed environments, primarily for cloud-native and edge computing applications. Historically, vulnerabilities associated with its ecosystem often stem from memory safety issues in Rust-based components or misconfigurations in WASI sandboxing policies. Common exploit classes include remote code execution via buffer overflows in legacy bindings and privilege escalation through improper capability delegation. While the organization emphasizes formal verification and safe defaults, incidents have occasionally involved improper isolation boundaries allowing escape from WebAssembly sandboxes. The group maintains a rigorous security posture through public audits and continuous integration testing, aiming to mitigate risks inherent in low-level systems programming by enforcing strict memory safety guarantees across its toolchain.

Top products by bytecodealliance: wasmtime wasm-micro-runtime lucet rustix cap-std
CVE IDTitleCVSSSeverityPublished
CVE-2026-35195 Wasmtime has an out-of-bounds write or crash when transcoding component model strings — wasmtimeCWE-787 9.9AICriticalAI2026-04-09
CVE-2026-35186 Wasmtime has an improperly masked return value from `table.grow` with Winch compiler backend — wasmtimeCWE-789 9.1AICriticalAI2026-04-09
CVE-2026-34988 Wasmtime leaks data between pooling allocator instances — wasmtimeCWE-119 7.5AIHighAI2026-04-09
CVE-2026-34987 Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access — wasmtimeCWE-125 6.3AIMediumAI2026-04-09
CVE-2026-34983 Wasmtime has a use-after-free bug after cloning `wasmtime::Linker` — wasmtimeCWE-416 7.5AIHighAI2026-04-09
CVE-2026-34971 Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift — wasmtimeCWE-125 9.1AICriticalAI2026-04-09
CVE-2026-34946 Wasmtime's host panics when Winch compiler executes `table.fill` — wasmtimeCWE-670 7.7AIHighAI2026-04-09
CVE-2026-34945 Wasmtime leaks host data with 64-bit tables and Winch — wasmtimeCWE-681 6.5AIMediumAI2026-04-09
CVE-2026-34944 Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64 — wasmtimeCWE-248 7.5AIHighAI2026-04-09
CVE-2026-34943 Wasmtime panics when lifting `flags` component value — wasmtimeCWE-248 7.5AIHighAI2026-04-09
CVE-2026-34942 Wasmtime panics when transcoding misaligned utf-16 strings — wasmtimeCWE-129 7.7AIHighAI2026-04-09
CVE-2026-34941 Wasmtime has a Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding — wasmtimeCWE-125 6.5AIMediumAI2026-04-09
CVE-2026-27572 Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance — wasmtimeCWE-770 7.5 -2026-02-24
CVE-2026-27204 Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion — wasmtimeCWE-400 6.5 -2026-02-24
CVE-2026-27195 Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future — wasmtimeCWE-755 6.8 -2026-02-24
CVE-2026-24116 Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64 — wasmtimeCWE-125 7.5AIHighAI2026-01-27
CVE-2025-64713 WebAssembly Micro Runtime frame_offset_bottom array bounds overflow in fast Interpreter mode when handling GET_GLOBAL(I32) followed by if opcode — wasm-micro-runtimeCWE-119 5.1 Medium2025-11-25
CVE-2025-64704 WebAssembly Micro Runtime vulnerable to a segmentation fault in v128.store instruction — wasm-micro-runtimeCWE-754 4.7 Medium2025-11-25
CVE-2025-64345 Wasmtime provides unsound API access to a WebAssembly shared linear memory — wasmtimeCWE-362 1.8 Low2025-11-12
CVE-2025-62711 Wasmtime vulnerable to segfault when using component resources — wasmtimeCWE-755 7.5 -2025-10-24
CVE-2025-61670 Wasmtime has memory leak in C API with `externref` and `anyref` types — wasmtimeCWE-772 7.5AIHighAI2025-10-07
CVE-2025-58749 WAMR runtime hangs or crashes with large memory.fill addresses in LLVM-JIT mode — wasm-micro-runtimeCWE-822 6.2AIMediumAI2025-09-16
CVE-2025-54126 WebAssembly Micro Runtime's `--addr-pool` option allows all IPv4 addresses when subnet mask is not specified — wasm-micro-runtimeCWE-668 9.1AICriticalAI2025-07-29
CVE-2025-53901 Wasmtime has host panic with `fd_renumber` WASIp1 function — wasmtimeCWE-672 3.5 Low2025-07-18
CVE-2025-43853 iwasm vulnerable to filesystem sandbox escape with symlink when using uvwasi feature — wasm-micro-runtimeCWE-61 6.5AIMediumAI2025-05-15
CVE-2024-51756 cap-std doesn't fully sandbox all the Windows device filenames — cap-stdCWE-22 7.8AIHighAI2024-11-05
CVE-2024-51745 Wasmtime doesn't fully sandbox all the Windows device filenames — wasmtimeCWE-67 8.2AIHighAI2024-11-05
CVE-2024-47813 Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations — wasmtimeCWE-367 2.9 Low2024-10-09
CVE-2024-47763 Wasmtime runtime crash when combining tail calls with trapping imports — wasmtimeCWE-670 5.5 Medium2024-10-09
CVE-2024-43806 `rustix::fs::Dir` iterator with the `linux_raw` backend can cause memory explosion — rustixCWE-400 6.5 Medium2024-08-26

This page lists every published CVE security advisory associated with bytecodealliance. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.