CVE-2026-34946Always-Incorrect Control Flow Implementation in Wasmtime

CWE-670Always-Incorrect Control Flow ImplementationCWE-1285Improper Validation of Specified Index, Position, or Offset in InputCWE-248Uncaught Exception36 documents7 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 96.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bytecodealliance Wasmtime
Timeline
PublishedApr 9

Description

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how c

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

crates.iobytecodealliance/wasmtime25.0.036.0.7+3
CVEListV5bytecodealliance/wasmtime>= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 44.0.1+2

🔴Vulnerability Details

4
VulDB
bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 control flow (GHSA-q49f-xg75-m9xw)2026-04-09
OSV
Wasmtime has host panic when Winch compiler executes `table.fill`2026-04-09
GHSA
Wasmtime has host panic when Winch compiler executes `table.fill`2026-04-09
OSV
Host panic when Winch compiler executes `table.fill`2026-04-09

📋Vendor Advisories

1
Red Hat
wasmtime: Wasmtime: Denial of Service via WebAssembly compilation error2026-04-09

🕵️Threat Intelligence

28
Wiz
CVE-2026-34944 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
RUSTSEC-2026-0093 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
RUSTSEC-2026-0095 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35406 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
RUSTSEC-2026-0085 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-34946 wasmtime: Wasmtime: Denial of Service via WebAssembly compilation error2026-04-09
Bugzilla
CVE-2026-34946 tree-sitter: Wasmtime: Denial of Service via WebAssembly compilation error [fedora-all]2026-04-09