CVE-2026-34988 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Wasmtime
Severity
2.3LOWNVD
EPSS
0.0%
top 98.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 9
Description
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the po…
CVSS vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Affected Packages2 packages
🔴Vulnerability Details
4VulDB▶
bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 memory_guard_size memory corruption (GHSA-6wgr-89rj-399p)↗2026-04-09
📋Vendor Advisories
1Red Hat▶
wasmtime: Wasmtime: Information disclosure due to improper memory handling in pooling allocator↗2026-04-09