RELEASES.md

24.0.8

Released 2026-04-30.

Fixed

• Fixed a bug in lowering of f64.copysign on x86-64 whereby when combined with an f64.load, the resulting machine code could read 16 bytes rather than 8 bytes. This could result in a segfault when Wasmtime is configured without signals-based traps. GHSA-vc8c-j3xm-xj73

---

24.0.7

Released 2026-04-09.

Fixed

• Out-of-bounds write or crash when transcoding component model strings. GHSA-394w-hwhg-8vgm

• Wasmtime segfault or unused out-of-sandbox load with f64x2.splat operator on x86-64. GHSA-qqfj-4vcm-26hv

• Panic when transcoding misaligned utf-16 strings. GHSA-jxhv-7h78-9775

• Panic when lifting flags component value. GHSA-m758-wjhj-p3jq

• Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding. GHSA-hx6p-xpx3-jvvv

---

24.0.6

Released 2026-02-24.

Changed

• Wasmtime's implementation of WASI now has the ability to limit resource consumption on behalf of the guest, such as host-allocated memory. This means that some behaviors previously allowed by Wasmtime can now disallowed, such as transferring excessive data from the guest to the host. Additionally calls to wasi:random/random.get-random-bytes, for example, can have limits in place to avoid allocating too much memory on the host. To preserve backwards-compatible behavior these limits are NOT set by default. Embedders must opt-in to configuring these knobs as appropriate for their embeddings. For more information on this see the related security advisory with further details on knobs added and what behaviors can be restricted. GHSA-852m-cvvp-9p4w

Fixed

• Panics when adding too many headers to a wasi:http/types.fields has been resolved GHSA-243v-98vx-264h

---

24.0.5

Released 2025-11-11.

Fixed

• Prevent using shared memories with Memory. CVE-2025-64345

---

24.0.4

Released 2025-07-18.

Fixed

• Fix a panic in the host caused by preview1 guests using fd_renumber. CVE-2025-53901.

• Fix a panic in the preview1 adapter caused by guests using fd_renumber. #11277

---

24.0.3

Released 2025-06-24.

Fixed

• Fix a panic with host-defined tables/globals and concrete reference types. #11103

---

24.0.2

Released 2024-11-05.

Fixed

• Update to cap-std 3.4.1, for #9559, which fixes a wasi-filesystem sandbox escape on Windows. CVE-2024-51745.

---

24.0.1

Released 2024-10-09.

Fixed

• Fix a runtime crash when combining tail-calls with host imports that capture a stack trace or trap. GHSA-q8hx-mm92-4wvg

• Fix a race condition could lead to WebAssembly control-flow integrity and type safety violations. GHSA-7qmx-3fpx-r45m

---

24.0.0

Released 2024-08-20.

Added

• A new wasmtime_engine_clone function was added to the C API. #8907

• Wasmtime now has basic support for allocating a StructRef in the embedder API. #8933

• The wasmtime run subcommand now support a --argv0 flag indicating the value of the first element to arguments reported to wasm if it shouldn't be the default of the wasm binary name itself. #8961

• Support for Winch on AArch64 continued to improve. #8921 #9018 #9033 #9051

• An initial implementation of the wasi-runtime-config proposal was added to Wasmtime. #8950 #8970 #8981

• Initial support for f16 and f128 in Cranelift continued to improve. #8893 #9045

• More types in wasmtime-wasi-http implement the Debug trait. #8979

• The wasmtime explore subcommand now supports exploring CLIF too. #8972

• Support for SIMD in Winch has begun, but it is not complete yet. #8990 #9006

• Initial work on Pulley, an interpreter for Wasmtime, has begun. #9008 #9013 #9014

• The -Wunknown-imports-trap flag to wasmtime run now supports components. #9021

• An initial implementation of the wasi-keyvalue proposal was added to Wasmtime. #8983 #9032 #9050 #9062

• An unsafe API has been added to unload process trap handlers. #9022

• The s390x backend now fully supports tail calls. #9052

Changed

• The flags type in the component model now has a hard limit of 32-or-fewer flags. For more information about this transition see WebAssembly/component-model#370. #8882

• Multiple returns for functions in the component model are now gated by default and are planned to be removed. #8965

• TCP streams in WASIp2 will now immediately return StreamError::Closed when the TCP stream is closed or shut down. #8968 #9055

• Cranelift will now perform constant propagation on some floating-point operations. #8954

• Wasmtime and Cranelift now require at least Rust 1.78.0 to compile. #9010

• The wasmtime::Val type now implements the Copy trait. #9024

• Wasmtime's wasi-nn implementation has been updated to track the upstream specification. #9056

• Names provided to trappable_imports in bindgen! are now validated to be used. #9057

• Support for multi-package *.wit files now requires a package ...; header at the top of the file. #9053

---

Release notes for previous releases of Wasmtime can be found on the respective release branches of the Wasmtime repository.

• 23.0.x
• 22.0.x
• 21.0.x
• 20.0.x
• 19.0.x
• 18.0.x
• 17.0.x
• 16.0.x
• 15.0.x
• 14.0.x
• 13.0.x
• 12.0.x
• 11.0.x
• 10.0.x
• 9.0.x
• 8.0.x
• 7.0.x
• 6.0.x
• 5.0.x
• 4.0.x
• 3.0.x
• 2.0.x
• 1.0.x
• 0.40.x
• 0.39.x
• 0.38.x
• 0.37.x
• 0.36.x
• 0.35.x
• 0.34.x
• 0.33.x
• 0.32.x (and prior)