Wasmtime WebAssembly Runtime Denial-of-Service Vulnerability Due to Table Allocation Overflow

A denial-of-service vulnerability has been identified in Wasmtime, a runtime for WebAssembly, affecting versions 30.0.0 prior to 36.0.8, 43.0.2, and 44.0.1. The issue arises in Wasmtime's allocation logic for WebAssembly tables, where checked arithmetic can panic on overflow. This overflow can be triggered by allocating a table with an extremely large size, particularly under the WebAssembly memory64 proposal, which allows table sizes in the 64-bit range. The panic occurs when instantiating a WebAssembly module or component with a very large table, causing the host process to crash. This vulnerability does not affect the pooling allocator, but impacts the on-demand instance allocator, which is the default in Wasmtime.

Impact

Exploiting this vulnerability causes a panic in the host process, leading to a denial-of-service condition for Wasmtime.

Remediation

Users are advised to upgrade to Wasmtime versions 36.0.8, 43.0.2, or 44.0.1. Alternatively, embeddings can switch to the pooling allocator or disable the 'memory64' WebAssembly proposal.