CVE-2026-35186Memory Allocation with Excessive Size Value in Wasmtime

CWE-789Memory Allocation with Excessive Size ValueCWE-843Type Confusion52 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 85.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bytecodealliance Wasmtime
Timeline
PublishedApr 9
Latest updateApr 10

Description

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit value. This invalid internal representation of Winch's compiler state compounds into further issues depending on how the value is consumed. The pr

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

crates.iobytecodealliance/wasmtime0.0.0-036.0.7+3
CVEListV5bytecodealliance/wasmtime>= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 44.0.1+2

🔴Vulnerability Details

3
GHSA
Wasmtime has improperly masked return value from `table.grow` with Winch compiler backend2026-04-10
OSV
Improperly masked return value from `table.grow` with Winch compiler backend2026-04-09
VulDB
bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 memory allocation (GHSA-f984-pcp8-v2p7)2026-04-09

📋Vendor Advisories

1
Red Hat
Wasmtime: github.com/bytecodealliance/wasmtime: Wasmtime: Denial of Service and potential information disclosure via Winch compiler type confusion2026-04-09

🕵️Threat Intelligence

45
Wiz
CVE-2026-5745 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-28808 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-5442 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-5443 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-24450 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-35186 tree-sitter: Wasmtime: Denial of Service and potential information disclosure via Winch compiler type confusion [fedora-all]2026-04-09
Bugzilla
CVE-2026-35186 Wasmtime: github.com/bytecodealliance/wasmtime: Wasmtime: Denial of Service and potential information disclosure via Winch compiler type confusion2026-04-09