CVE-2026-34943: Wasmtime has a possible panic when lifting `flags` component value

April 9, 2026 (updated April 24, 2026)

Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime’s implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface.

This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector.

References

github.com/advisories/GHSA-m758-wjhj-p3jq
github.com/bytecodealliance/wasmtime
github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq
nvd.nist.gov/vuln/detail/CVE-2026-34943
rustsec.org/advisories/RUSTSEC-2026-0085.html

Code Behaviors & Features

Detect and mitigate CVE-2026-34943 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →