Memory Access Vulnerability in Wasmtime Runtime by Bytecode Alliance
CVE-2026-34987

9CRITICAL

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 9 April 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-34987?

The vulnerability in Wasmtime, a WebAssembly runtime, allows guest Wasm code, when compiled with the Winch backend, to access unauthorized areas of host memory. This occurs due to a flaw in how memory offsets are handled, permitting potential segmentation faults, data leaks, or even arbitrary remote code execution. A proof-of-concept has demonstrated that memory can be accessed before and after the allowed linear-memory region, with implications for both aarch64 and x86-64 architectures. Fixed versions include 36.0.7, 42.0.2, and 43.0.1.

Affected Version(s)

wasmtime >= 25.0.0, < 36.0.7 < 25.0.0, 36.0.7

wasmtime >= 37.0.0, < 42.0.2 < 37.0.0, 42.0.2

wasmtime >= 43.0.0, < 44.0.1 < 43.0.0, 44.0.1

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34987 Data

JSON