CVE-2026-34945
published 2026-04-09CVE-2026-34945: Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.32%
24.1th percentile
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Host data leakage with 64-bit tables and Winch
osv·2026-04-09
CVE-2026-34945 Host data leakage with 64-bit tables and Winch
Host data leakage with 64-bit tables and Winch
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946
For more information see the GitHub-hosted security advisory.
VulDB
bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 return numeric conversion (GHSA-m9w2-8782-2946)
vuldb·2026-04-09·CVSS 2.3
CVE-2026-34945 [LOW] bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 return numeric conversion (GHSA-m9w2-8782-2946)
A vulnerability was found in bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0. It has been classified as problematic. This affects an unknown part. Performing a manipulation of the argument return results in incorrect conversion between numeric types.
This vulnerability is known as CVE-2026-34945. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
GHSA
Wasmtime has host data leakage with 64-bit tables and Winch
ghsa·2026-04-09
CVE-2026-34945 [LOW] CWE-200 Wasmtime has host data leakage with 64-bit tables and Winch
Wasmtime has host data leakage with 64-bit tables and Winch
### Impact
Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the `table.size` instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests.
This bug specifically arose from a mistake where the return value of `table.size` was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data
OSV
Wasmtime has host data leakage with 64-bit tables and Winch
osv·2026-04-09
CVE-2026-34945 [LOW] Wasmtime has host data leakage with 64-bit tables and Winch
Wasmtime has host data leakage with 64-bit tables and Winch
### Impact
Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the `table.size` instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests.
This bug specifically arose from a mistake where the return value of `table.size` was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data
Red Hat
wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation
vendor_redhat·2026-04-09·CVSS 2.3
CVE-2026-34945 [LOW] CWE-681 wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation
wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation
A flaw was found in Wasmtime's Winch compiler. This vulnerability, present in versions from 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, arises from an incorrect translation of the `table.size` instruction for 64-bit WebAssembly tables. An attacker, by crafting a malicious WebAssembly guest, could exploit this flaw to read sensitive data from the host's stack. This information disclosure could expose data related to other host operations that should not be accessible to guests.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability t
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-34945 tree-sitter: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation [fedora-all]
bugzilla·2026-04-09·CVSS 2.3
CVE-2026-34945 [LOW] CVE-2026-34945 tree-sitter: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation [fedora-all]
CVE-2026-34945 tree-sitter: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-34945 wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation
bugzilla·2026-04-09·CVSS 2.3
CVE-2026-34945 [LOW] CVE-2026-34945 wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation
CVE-2026-34945 wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the r
Wiz
CVE-2026-34945 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-34945 [LOW] CVE-2026-34945 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34945 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich
2026-04-09
Published