CVE-2026-34945
Received Received - Intake
Integer Overflow in Wasmtime Winch Compiler Exposes Host Stack Data

Publication date: 2026-04-09

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34945
EUVD
EUVD-2026-21024
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
bytecodealliance wasmtime From 25.0.0 (inc) to 36.0.7 (exc)
bytecodealliance wasmtime From 37.0.0 (inc) to 42.0.2 (exc)
bytecodealliance wasmtime From 43.0.0 (inc) to 43.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability in the available information.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Wasmtime to one of the fixed versions: 36.0.7, 42.0.2, or 43.0.1.

If upgrading is not immediately possible, the only other option is to disable the `Config::wasm_memory64` proposal in Wasmtime to avoid exposure to this bug.

No other workarounds exist for users of the Winch compiler.

Executive Summary

CVE-2026-34945 is a vulnerability in Wasmtime's Winch compiler related to the handling of 64-bit tables, part of the WebAssembly memory64 proposal. The issue occurs because the table.size instruction's return value was incorrectly typed as a 32-bit integer instead of dynamically checking the table's index type to determine the correct size.

This bug allows WebAssembly guests to potentially read sensitive data from the host's stack, which may include confidential information from other host operations. The flaw arises from a mistake in the compiler's ABI handling, specifically involving multi-value returns, enabling leakage of host stack data into the guest environment.

The vulnerability affects Wasmtime versions from 25.0.0 up to before 36.0.7, 42.0.2, and 43.0.1, and is fixed in those versions.

Impact Analysis

This vulnerability can lead to the disclosure of sensitive data from the host's stack to WebAssembly guests. Such data may include confidential information related to other host-originating operations that are not intended to be exposed.

The impact is limited to a low confidentiality breach; it does not affect system integrity or availability.

The attack vector is network-based, with low attack complexity, requiring low privileges and no user interaction.

Compliance Impact

This vulnerability allows WebAssembly guests to potentially read sensitive data from the host's stack, which may include confidential information from other host operations.

Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

However, the vulnerability is rated as low severity with limited confidentiality impact and does not affect system integrity or availability.

Organizations using affected Wasmtime versions should upgrade to fixed releases to mitigate potential risks related to compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart