Vulnerability in Wasmtime Affecting Its Winch Compiler Backend
CVE-2026-35186

6.1MEDIUM

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 9 April 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-35186?

The vulnerability in the Winch compiler backend of Wasmtime arises from a flaw in the translation of the table.grow operator. This leads to a misrepresentation where a 32-bit result is incorrectly typed as a 64-bit value, potentially exposing bytes in the host's unmapped memory space before linear memory. Although Wasmtime's default configurations incorporate guard pages to mitigate risks, explicitly choosing Winch without these safeguards can lead to denial-of-service (DoS) scenarios. The bug can cause the host process to crash, raise correctness concerns in the compiler's operation, and create a risk of leaking up to 16 bytes of sensitive data from the host's memory. The vulnerability has been addressed in the updates 36.0.7, 42.0.2, and 43.0.1.

Affected Version(s)

wasmtime >= 25.0.0, < 36.0.7 < 25.0.0, 36.0.7

wasmtime >= 37.0.0, < 42.0.2 < 37.0.0, 42.0.2

wasmtime >= 43.0.0, < 44.0.1 < 43.0.0, 44.0.1

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35186 Data

JSON