Executive Summary

CVE-2026-34987 is a critical vulnerability in Wasmtime when using its Winch (baseline) compiler backend, which is a non-default option activated with the flag -Ccompiler=winch.

This vulnerability allows a maliciously crafted WebAssembly (Wasm) guest module to escape its sandbox and access host memory outside the intended linear-memory sandbox boundaries.

The issue arises from an incorrect assumption in the Winch compiler backend regarding 32-bit memory offsets stored in 64-bit registers, where the upper bits are assumed to be cleared but may not be.

This flaw enables out-of-bounds memory access both before and after the linear memory region, regardless of configured pre- or post-guard regions or bounds checking mechanisms.

A proof-of-concept exploit has been demonstrated on the aarch64 architecture, showing that up to 32 KiB of memory before the start of the linear memory and approximately 4 GiB after it can be accessed. On x86-64, the vulnerability is theoretical but may still be exploitable.

Variants of the exploit could potentially access arbitrary in-process memory, leading to severe consequences including host process crashes (segmentation faults), arbitrary data leaks, or arbitrary remote code execution (RCE) if writes are possible.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a malicious WebAssembly guest to escape its sandbox and access host memory outside intended boundaries, potentially leading to arbitrary data leaks or remote code execution.

Such unauthorized access to memory and potential data leaks could result in exposure of sensitive or personal data, which may violate data protection regulations like GDPR or HIPAA that require strict controls over data confidentiality and integrity.

Therefore, if Wasmtime with the vulnerable Winch compiler backend is used in environments subject to these regulations, this vulnerability could compromise compliance by enabling breaches of confidentiality and integrity safeguards.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Host process segmentation faults causing denial of service (DoS).
• Arbitrary data leaks from the host process, potentially exposing sensitive information.
• Potential arbitrary remote code execution (RCE) if the exploit is able to write to memory, allowing an attacker to execute malicious code on the host.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs specifically when Wasmtime is used with its Winch compiler backend enabled via the flag `-Ccompiler=winch`. Detection involves verifying if your Wasmtime runtime is running a vulnerable version and if the Winch compiler backend is in use.

To detect if your system is vulnerable, you can check the Wasmtime version and the compiler backend configuration.

• Run `wasmtime --version` to determine the installed Wasmtime version. Versions from 25.0.0 up to 36.0.6, 37.0.0 up to 42.0.1, and 43.0.0 are vulnerable.
• Check if the Winch compiler backend is used by inspecting how Wasmtime is invoked or configured. Look for the flag `-Ccompiler=winch` in command lines or configuration files.

There are no specific network detection commands or signatures mentioned for this vulnerability, as it is a runtime memory access issue triggered by malicious Wasm modules.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Wasmtime to a fixed version where this vulnerability is resolved.

• Upgrade to Wasmtime version 36.0.7, 42.0.2, or 43.0.1 or later, which contain the fixes for this vulnerability.
• If upgrading is not immediately possible, switch from the Winch compiler backend to the default Cranelift backend by removing the `-Ccompiler=winch` flag.

There are no workarounds within the Winch backend itself for affected versions, so avoiding use of the Winch backend or upgrading is essential.

Useful 0 Not Useful 0