Wasmtime leaks host data with 64-bit tables and Winch

2.3 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Description

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

Basic Information

ID CVE-2026-34945

Source GitHub_M

Published Apr 9, 2026 at 18:40

Modified Apr 10, 2026 at 14:12

Affected Product

Vendor bytecodealliance

Product wasmtime

Version >= 25.0.0, < 36.0.7

Affected Versions bytecodealliance wasmtime >= 25.0.0, < 36.0.7
bytecodealliance wasmtime >= 37.0.0, < 42.0.2
bytecodealliance wasmtime >= 43.0.0, < 44.0.1

CWE Classification

CWE-681

References

github.com /bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946

{
    "lastseen": "",
    "description": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.",
    "published": "2026-04-09T18:40:48.446Z",
    "modified": "2026-04-10T14:12:18.460Z",
    "type": "cve",
    "title": "Wasmtime leaks host data with 64-bit tables and Winch",
    "source": "GitHub_M",
    "references": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946",
    "id": "CVE-2026-34945",
    "bulletinFamily": "",
    "cwe": [
        "CWE-681"
    ],
    "cvelist": null,
    "sourceData": "bytecodealliance wasmtime >= 25.0.0, < 36.0.7\nbytecodealliance wasmtime >= 37.0.0, < 42.0.2\nbytecodealliance wasmtime >= 43.0.0, < 44.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 2.3,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "wasmtime",
    "version": ">= 25.0.0, < 36.0.7",
    "vendor": "bytecodealliance",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Wasmtime leaks host data with 64-bit tables and Winch_CVE-2026-34945