WebAssembly Runtime Vulnerability in Wasmtime by Bytecode Alliance
CVE-2026-34945

2.3LOW

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 9 April 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-34945?

The Wasmtime runtime for WebAssembly has a vulnerability in its Winch compiler affecting versions from 25.0.0 up to, but not including, 36.0.7, 42.0.1, and 43.0.1. A misimplementation of the table.size instruction for a 64-bit table has been identified, which could result in sensitive data from the host's stack being exposed to WebAssembly guests. This significant flaw arises from mishandling the return value type for table size, treating it as a 32-bit integer instead of reflecting the actual size according to the table's index type. The implications of this bug could potentially lead to unauthorized access to sensitive information not meant to be disclosed. Users are advised to update to patched versions to mitigate this risk.

Affected Version(s)

wasmtime >= 25.0.0, < 36.0.7 < 25.0.0, 36.0.7

wasmtime >= 37.0.0, < 42.0.2 < 37.0.0, 42.0.2

wasmtime >= 43.0.0, < 44.0.1 < 43.0.0, 44.0.1

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34945 Data

JSON