CVE-2026-34987Out-of-bounds Read in Wasmtime

CWE-125Out-of-bounds ReadCWE-787Out-of-bounds WriteCWE-681Incorrect Conversion between Numeric Types48 documents7 sources
Severity
9.0CRITICALNVD
EPSS
0.1%
top 84.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bytecodealliance Wasmtime
Timeline
PublishedApr 9
Latest updateApr 10

Description

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages2 packages

crates.iobytecodealliance/wasmtime25.0.036.0.7+3
CVEListV5bytecodealliance/wasmtime>= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 44.0.1+2

🔴Vulnerability Details

3
GHSA
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access2026-04-10
OSV
Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access2026-04-09
VulDB
bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 out-of-bounds (GHSA-xx5w-cvp6-jv83)2026-04-09

📋Vendor Advisories

1
Red Hat
wasmtime: bytecodealliance/wasmtime: Wasmtime: Arbitrary code execution via incorrect memory offset handling in Winch compiler2026-04-09

🕵️Threat Intelligence

42
Wiz
CVE-2026-5745 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28808 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-5442 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-5443 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-24450 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-34987 wasmtime: bytecodealliance/wasmtime: Wasmtime: Arbitrary code execution via incorrect memory offset handling in Winch compiler2026-04-09