CVE-2026-34971Out-of-bounds Read in Wasmtime

CWE-125Out-of-bounds ReadCWE-787Out-of-bounds Write39 documents7 sources
Severity
9.0CRITICALNVD
EPSS
0.0%
top 97.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bytecodealliance Wasmtime
Timeline
PublishedApr 9

Description

Wasmtime is a runtime for WebAssembly. From 32.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages2 packages

crates.iobytecodealliance/wasmtime32.0.036.0.7+3
CVEListV5bytecodealliance/wasmtime>= 32.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 44.0.1+2

🔴Vulnerability Details

4
VulDB
bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 WebAssembly Config::wasm_memory64 out-of-bounds (GHSA-jhxm-h53p-jm7w)2026-04-09
OSV
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift2026-04-09
GHSA
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift2026-04-09
OSV
Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift2026-04-09

📋Vendor Advisories

1
Red Hat
wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch642026-04-09

🕵️Threat Intelligence

31
Wiz
CVE-2026-34944 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
RUSTSEC-2026-0093 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
RUSTSEC-2026-0095 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35406 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
RUSTSEC-2026-0085 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-34971 wasmtime: cranelift: Wasmtime: Sandbox escape due to miscompiled heap access on aarch642026-04-09
Bugzilla
CVE-2026-34971 tree-sitter: Wasmtime: Sandbox escape due to miscompiled heap access on aarch64 [fedora-all]2026-04-09