CVE-2026-34971
published 2026-04-09CVE-2026-34971: Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64…
PriorityP346high7.8CVSS 3.1
AVLACHPRLUINSCCHIHAH
EPSS
0.32%
23.6th percentile
Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbitrary host memory. This vulnerability has a few ingredients, all of which must be met, for this situation to occur and bypass the sandbox restrictions. This miscompiled shape of load only occurs on 64-bit WebAssembly linear memories, or when Config::wasm_memory64 is enabled. 32-bit WebAssembly is not affected. Spectre mitigations or signals-based-traps must be disabled. When spectre mitigations are enabled then the offending shape of load is not generated. When signals-based-traps are disabled then spectre mitigations are also automatically disabled. The specific bug in Cranelift is a miscompile of a load of the shape load(iadd(base, ishl(index, amt))) where amt is a constant. The amt value is masked incorrectly to test if it's a certain value, and this incorrect mask means that Cranelift can pattern-match this lowering rule during instruction selection erroneously, diverging from WebAssembly's and Cranelift's semantics. This incorrect lowering would, for example, load an address much further away than intended as the correct address's computation would have wrapped around to a smaller value insetad. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 32.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 32.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.0CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 WebAssembly Config::wasm_memory64 out-of-bounds (GHSA-jhxm-h53p-jm7w)
vuldb·2026-04-09·CVSS 9.0
CVE-2026-34971 [CRITICAL] bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 WebAssembly Config::wasm_memory64 out-of-bounds (GHSA-jhxm-h53p-jm7w)
A vulnerability, which was classified as problematic, has been found in bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0. This impacts the function Config::wasm_memory64 of the component WebAssembly Module. The manipulation leads to out-of-bounds read.
This vulnerability is documented as CVE-2026-34971. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
OSV
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
osv·2026-04-09
CVE-2026-34971 [CRITICAL] Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
### Impact
Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbi
GHSA
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
ghsa·2026-04-09
CVE-2026-34971 [CRITICAL] CWE-125 Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
### Impact
Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbi
OSV
Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
osv·2026-04-09
CVE-2026-34971 Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w
For more information see the GitHub-hosted security advisory.
Red Hat
wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64
vendor_redhat·2026-04-09·CVSS 9.0
CVE-2026-34971 [CRITICAL] CWE-125 wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64
wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64
A flaw was found in Wasmtime, a runtime for WebAssembly. On aarch64 systems, a miscompilation bug in Wasmtime's Cranelift backend can be exploited by a guest WebAssembly module. This vulnerability allows the module to bypass memory bounds checks, enabling arbitrary read and write operations on the host system's memory. This ultimately leads to a sandbox escape, where the guest module can access resources beyond its intended isolated environment.
Statement: The requirement that Spectre mitigations be disabled is a non-default state for Red Hat products and is highly discouraged. No Red Hat product in its default configuration is vulnerable to this flaw.
Mitigation: Mitigation for this issue is either
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-34944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-34944 [MEDIUM] CVE-2026-34944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34944 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Source : NVD
## 4.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 4.1
Affected Technologies
Rust
Linux Debian
Has Public Exploit No
Has CISA KEV Exploi
Wiz
RUSTSEC-2026-0093 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0093 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0093 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv For more information see the GitHub-hosted security advisory.
Source : NVD
## 6.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
RUSTSEC-2026-0095 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0095 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0095 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83 For more information see the GitHub-hosted security advisory.
Source : NVD
## 9
Score
Published April 9, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-35406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-35406 [MEDIUM] CVE-2026-35406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35406 :
Rust vulnerability analysis and mitigation
Aardvark-dns is an authoritative dns server for A/AAAA container records. From 1.16.0 to 1.17.0, a truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU. This vulnerability is fixed in 1.17.1.
Source : NVD
## 6.2
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
Rust
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aardvark-dns
container-tools:rhel8::aardvark-dns
Sources
NVD
Debian 12, 13, 14 Severity MEDIUM No Fix Added at:
Wiz
RUSTSEC-2026-0085 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0085 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0085 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq For more information see the GitHub-hosted security advisory.
Source : NVD
## 5.6
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-34946 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34946 [MEDIUM] CVE-2026-34946 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34946 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the
Wiz
CVE-2026-34988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-34988 [LOW] CVE-2026-34988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34988 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the pooling allocator incorrectly deduced at runtime that resetting virtual memory permissions was not necessary while compile-time determine that virtual memory could be relied upon. The pooling allocator must be in use, Config::memory_guar
Wiz
CVE-2026-35533 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-35533 [MEDIUM] CVE-2026-35533 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35533 :
Rust vulnerability analysis and mitigation
mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.
Source : NVD
## 7.7
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mise
Sources
NVD
R
Wiz
CVE-2026-34945 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-34945 [LOW] CVE-2026-34945 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34945 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich
Wiz
RUSTSEC-2026-0096 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0096 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0096 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w For more information see the GitHub-hosted security advisory.
Source : NVD
## 9
Score
Published April 9, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
RUSTSEC-2026-0088 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0088 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0088 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p For more information see the GitHub-hosted security advisory.
Source : NVD
## 2.3
Score
Published April 9, 2026
Severity LOW
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
RUSTSEC-2026-0084 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0084 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0084 :
Rust vulnerability analysis and mitigation
trace()
Source : NVD
Published April 9, 2026
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
logprinter
Sources
NVD
Rust No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Rust vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-34971
CRITICAL
9
Rust
rust-wasmtime
No
Yes
Apr 09, 2026
CVE-2026-3519
Wiz
CVE-2026-35195 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-35195 [MEDIUM] CVE-2026-35195 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35195 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped m
Wiz
RUSTSEC-2026-0092 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0092 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0092 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775 For more information see the GitHub-hosted security advisory.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-34971 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.0
CVE-2026-34971 [CRITICAL] CVE-2026-34971 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34971 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This
Wiz
RUSTSEC-2026-0091 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0091 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0091 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm For more information see the GitHub-hosted security advisory.
Source : NVD
## 6.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-20709 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-20709 [MEDIUM] CVE-2026-20709 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20709 :
Linux Red Hat vulnerability analysis and mitigation
Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and avail
Wiz
RUSTSEC-2026-0094 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0094 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0094 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 For more information see the GitHub-hosted security advisory.
Source : NVD
## 6.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-34941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34941 [MEDIUM] CVE-2026-34941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34941 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without gua
Wiz
RUSTSEC-2026-0083 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0083 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0083 :
Rust vulnerability analysis and mitigation
zantetsu-trainer
zantetsu-trainer
## Migration
zantetsu-trainer
zantetsu 0.2
Source : NVD
Published April 7, 2026
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zantetsu-trainer
Sources
NVD
Rust No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Rust vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2
Wiz
RUSTSEC-2026-0090 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0090 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0090 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2 For more information see the GitHub-hosted security advisory.
Source : NVD
## 1
Score
Published April 9, 2026
Severity LOW
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2026-34942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34942 [MEDIUM] CVE-2026-34942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34942 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Source : NVD
## 5.9
Score
Published Apri
Wiz
CVE-2026-33816 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33816 [CRITICAL] CVE-2026-33816 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33816 :
Linux Red Hat vulnerability analysis and mitigation
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Source : NVD
## 9.8
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
go-fdo-server
Sources
NVD
Red Hat 10 Severity HIGH No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Linux Red Hat vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
Wiz
RUSTSEC-2026-0086 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0086 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0086 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946 For more information see the GitHub-hosted security advisory.
Source : NVD
## 2.3
Score
Published April 9, 2026
Severity LOW
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
RUSTSEC-2026-0082 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0082 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0082 :
Rust vulnerability analysis and mitigation
zantetsu-ffi
zantetsu-ffi
## Migration
zantetsu-ffi
zantetsu 0.2
Source : NVD
Published April 7, 2026
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zantetsu-ffi
Sources
NVD
Rust No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Rust vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-34971
CRITI
Wiz
CVE-2026-33815 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33815 [CRITICAL] CVE-2026-33815 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33815 :
Linux Red Hat vulnerability analysis and mitigation
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Source : NVD
## 9.8
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
go-fdo-server
Sources
NVD
Red Hat 10 Severity HIGH No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Linux Red Hat vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
Wiz
CVE-2026-39360 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-39360 [MEDIUM] CVE-2026-39360 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39360 :
Rust vulnerability analysis and mitigation
RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path (UploadPartCopy). A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an attacker-controlled multipart upload and completing the upload. This breaks tenant isolation in multi-user / multi-tenant deployments. This vulnerability is fixed in alpha.90.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Wiz
RUSTSEC-2026-0087 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0087 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0087 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv For more information see the GitHub-hosted security advisory.
Source : NVD
## 4.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-34943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.6
CVE-2026-34943 [MEDIUM] CVE-2026-34943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34943 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Source
Wiz
RUSTSEC-2026-0089 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
[MEDIUM] RUSTSEC-2026-0089 Impact, Exploitability, and Mitigation Steps | Wiz
## RUSTSEC-2026-0089 :
Rust vulnerability analysis and mitigation
This is an entry in the RustSec database for the Wasmtime security advisory
located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw For more information see the GitHub-hosted security advisory.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Rust
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wasmtime
Sources
NVD
Rust Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-34983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34983 [MEDIUM] CVE-2026-34983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34983 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.
Source : NVD
## 1
Score
Published April 9, 2026
Severity LOW
CNA Score 1.0
Affected Technologies
Rust
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitati
Bugzilla
CVE-2026-34971 wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64
bugzilla·2026-04-09·CVSS 9.0
CVE-2026-34971 [CRITICAL] CVE-2026-34971 wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64
CVE-2026-34971 wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64
Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAsse
Bugzilla
CVE-2026-34971 tree-sitter: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64 [fedora-all]
bugzilla·2026-04-09·CVSS 9.0
CVE-2026-34971 [CRITICAL] CVE-2026-34971 tree-sitter: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64 [fedora-all]
CVE-2026-34971 tree-sitter: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64 [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-04-09
Published