CVE-2026-34946
Received Received - Intake
Denial-of-Service in Wasmtime Winch Compiler via table.fill Instruction

Publication date: 2026-04-09

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34946
EUVD
EUVD-2026-21025
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
bytecodealliance wasmtime From 25.0.0 (inc) to 36.0.7 (exc)
bytecodealliance wasmtime From 37.0.0 (inc) to 42.0.2 (exc)
bytecodealliance wasmtime From 43.0.0 (inc) to 43.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34946 is a vulnerability in the Wasmtime WebAssembly runtime's Winch compiler affecting versions from 25.0.0 up to before 36.0.7, 42.0.2, and 43.0.1. The issue stems from a historical refactoring that changed how compiled code references tables within the table.* instructions but failed to update the Winch compiler's code paths accordingly.

Because of this, the Winch compiler uses an incorrect indexing scheme when compiling the table.fill instruction. This flaw allows a valid WebAssembly guest module to cause the host to panic on any architecture, resulting in a denial-of-service (DoS) condition.

The vulnerability manifests either by causing the host to panic due to referencing nonexistent tables or by executing incorrect behavior that modifies the wrong table, which violates specification correctness.

Impact Analysis

This vulnerability impacts the availability of the Wasmtime runtime by allowing an attacker to cause a host panic, effectively resulting in a denial-of-service (DoS) condition.

An attacker can exploit this flaw remotely with low privileges and without user interaction, making it relatively easy to trigger the host panic.

The vulnerability does not affect confidentiality or integrity but can disrupt service availability by crashing the host process running Wasmtime.

Detection Guidance

This vulnerability is related to the Wasmtime runtime's Winch compiler and manifests as a host panic when compiling the table.fill instruction. Detection involves identifying if your system is running a vulnerable version of Wasmtime.

  • Check the Wasmtime version installed on your system to see if it falls within the vulnerable ranges: >= 25.0.0 up to 36.0.6, >= 37.0.0 up to 42.0.1, or version 43.0.0.
  • Use commands like `wasmtime --version` or check the package manager to determine the installed Wasmtime version.
  • Monitor system logs for host panics or crashes related to Wasmtime processes, which may indicate exploitation attempts.

There are no specific network detection commands or signatures mentioned for this vulnerability, as exploitation requires compiling a WebAssembly guest module that triggers the panic.

Mitigation Strategies

The primary mitigation step is to upgrade Wasmtime to a patched version that fixes this vulnerability.

  • Upgrade Wasmtime to version 36.0.7, 42.0.2, or 43.0.1 or later, as these versions include the fix for the vulnerability.
  • If you are using the Winch compiler, there is no workaround other than upgrading.
  • Users employing the Cranelift compiler are not affected by this issue.

After upgrading, monitor your systems for any unusual host panics or crashes to ensure the vulnerability is mitigated.

Compliance Impact

This vulnerability causes a denial-of-service (DoS) condition by allowing a valid WebAssembly guest module to trigger a host panic in the Wasmtime runtime's Winch compiler. It impacts availability but does not affect confidentiality or integrity.

Since the vulnerability only affects availability and does not lead to unauthorized access, data leakage, or data modification, it does not directly compromise compliance with standards focused on data protection such as GDPR or HIPAA.

However, availability is a component of many security frameworks, so organizations relying on Wasmtime with the vulnerable versions should consider the risk of service disruption in their compliance and risk management processes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart