CVE-2026-34945
Integer Overflow in Wasmtime Winch Compiler Exposes Host Stack Data
Publication date: 2026-04-09
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | wasmtime | From 25.0.0 (inc) to 36.0.7 (exc) |
| bytecodealliance | wasmtime | From 37.0.0 (inc) to 42.0.2 (exc) |
| bytecodealliance | wasmtime | From 43.0.0 (inc) to 43.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-681 | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows WebAssembly guests to potentially read sensitive data from the host's stack, which may include confidential information from other host operations.
Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.
However, the vulnerability is rated as low severity with limited confidentiality impact and does not affect system integrity or availability.
Organizations using affected Wasmtime versions should upgrade to fixed releases to mitigate potential risks related to compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided for this vulnerability in the available information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade Wasmtime to one of the fixed versions: 36.0.7, 42.0.2, or 43.0.1.
If upgrading is not immediately possible, the only other option is to disable the `Config::wasm_memory64` proposal in Wasmtime to avoid exposure to this bug.
No other workarounds exist for users of the Winch compiler.
Can you explain this vulnerability to me?
CVE-2026-34945 is a vulnerability in Wasmtime's Winch compiler related to the handling of 64-bit tables, part of the WebAssembly memory64 proposal. The issue occurs because the table.size instruction's return value was incorrectly typed as a 32-bit integer instead of dynamically checking the table's index type to determine the correct size.
This bug allows WebAssembly guests to potentially read sensitive data from the host's stack, which may include confidential information from other host operations. The flaw arises from a mistake in the compiler's ABI handling, specifically involving multi-value returns, enabling leakage of host stack data into the guest environment.
The vulnerability affects Wasmtime versions from 25.0.0 up to before 36.0.7, 42.0.2, and 43.0.1, and is fixed in those versions.
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of sensitive data from the host's stack to WebAssembly guests. Such data may include confidential information related to other host-originating operations that are not intended to be exposed.
The impact is limited to a low confidentiality breach; it does not affect system integrity or availability.
The attack vector is network-based, with low attack complexity, requiring low privileges and no user interaction.