Data Leakage Vulnerability in Wasmtime WebAssembly Runtime
CVE-2026-34988

2.3LOW

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 9 April 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-34988?

Wasmtime is a runtime for WebAssembly that, in specific configurations, suffers from a vulnerability where linear memory can expose sensitive data between WebAssembly instances. The flaw arises due to improper handling of virtual memory permissions in its pooling allocator, which may lead to unintended data exposure when linear memory is reused. This occurs if the pooling allocator is in operation with specific settings, leaving previous instance data accessible to new instances, thus breaking the intended isolation and security guarantees of WebAssembly. The vulnerability is mitigated in versions 36.0.7, 42.0.2, and 43.0.1.

Affected Version(s)

wasmtime >= 28.0.0, < 36.0.7 < 28.0.0, 36.0.7

wasmtime >= 37.0.0, < 42.0.2 < 37.0.0, 42.0.2

wasmtime >= 43.0.0, < 44.0.1 < 43.0.0, 44.0.1

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34988 Data

JSON