CVE-2026-34987
Received Received - Intake
Out-of-Bounds Memory Access in Wasmtime Winch Compiler Enables RCE

Publication date: 2026-04-09

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-15
Generated
2026-05-06
AI Q&A
2026-04-09
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34987
EUVD
EUVD-2026-21031
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
bytecodealliance wasmtime From 25.0.0 (inc) to 36.0.7 (exc)
bytecodealliance wasmtime From 37.0.0 (inc) to 42.0.2 (exc)
bytecodealliance wasmtime 43.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-34987 is a critical vulnerability in Wasmtime when using its Winch (baseline) compiler backend, which is a non-default option activated with the flag -Ccompiler=winch.

This vulnerability allows a maliciously crafted WebAssembly (Wasm) guest module to escape its sandbox and access host memory outside the intended linear-memory sandbox boundaries.

The issue arises from an incorrect assumption in the Winch compiler backend regarding 32-bit memory offsets stored in 64-bit registers, where the upper bits are assumed to be cleared but may not be.

This flaw enables out-of-bounds memory access both before and after the linear memory region, regardless of configured pre- or post-guard regions or bounds checking mechanisms.

A proof-of-concept exploit has been demonstrated on the aarch64 architecture, showing that up to 32 KiB of memory before the start of the linear memory and approximately 4 GiB after it can be accessed. On x86-64, the vulnerability is theoretical but may still be exploitable.

Variants of the exploit could potentially access arbitrary in-process memory, leading to severe consequences including host process crashes (segmentation faults), arbitrary data leaks, or arbitrary remote code execution (RCE) if writes are possible.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including:

  • Host process segmentation faults causing denial of service (DoS).
  • Arbitrary data leaks from the host process, potentially exposing sensitive information.
  • Potential arbitrary remote code execution (RCE) if the exploit is able to write to memory, allowing an attacker to execute malicious code on the host.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability occurs specifically when Wasmtime is used with its Winch compiler backend enabled via the flag `-Ccompiler=winch`. Detection involves verifying if your Wasmtime runtime is running a vulnerable version and if the Winch compiler backend is in use.

To detect if your system is vulnerable, you can check the Wasmtime version and the compiler backend configuration.

  • Run `wasmtime --version` to determine the installed Wasmtime version. Versions from 25.0.0 up to 36.0.6, 37.0.0 up to 42.0.1, and 43.0.0 are vulnerable.
  • Check if the Winch compiler backend is used by inspecting how Wasmtime is invoked or configured. Look for the flag `-Ccompiler=winch` in command lines or configuration files.

There are no specific network detection commands or signatures mentioned for this vulnerability, as it is a runtime memory access issue triggered by malicious Wasm modules.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Wasmtime to a fixed version where this vulnerability is resolved.

  • Upgrade to Wasmtime version 36.0.7, 42.0.2, or 43.0.1 or later, which contain the fixes for this vulnerability.
  • If upgrading is not immediately possible, switch from the Winch compiler backend to the default Cranelift backend by removing the `-Ccompiler=winch` flag.

There are no workarounds within the Winch backend itself for affected versions, so avoiding use of the Winch backend or upgrading is essential.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a malicious WebAssembly guest to escape its sandbox and access host memory outside intended boundaries, potentially leading to arbitrary data leaks or remote code execution.

Such unauthorized access to memory and potential data leaks could result in exposure of sensitive or personal data, which may violate data protection regulations like GDPR or HIPAA that require strict controls over data confidentiality and integrity.

Therefore, if Wasmtime with the vulnerable Winch compiler backend is used in environments subject to these regulations, this vulnerability could compromise compliance by enabling breaches of confidentiality and integrity safeguards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart