Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Host Data Exposure
Action: Apply Patch
AI Analysis

Impact

A bug in Wasmtime’s Winch compiler misinterprets the table.size instruction for 64‑bit tables, returning a 32‑bit value when the correct size is larger. This mismatch allows a WebAssembly guest to read data that resides on the host’s stack, potentially exposing sensitive information that should remain hidden from untrusted guest code. The flaw represents an integer type mismatch weakness (CWE‑681).

Affected Systems

Bytecodealliance Wasmtime releases from 25.0.0 up to, but not including, 36.0.7, as well as the versions 42.0.2 and 43.0.1, contain the vulnerability. These releases have been corrected in 36.0.7, 42.0.2, and 43.0.1.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall risk. Based on the description, it is inferred that an attacker must be able to execute WebAssembly code within a vulnerable Wasmtime instance to trigger the leak, suggesting a local or controlled code execution scenario rather than a traditional remote attack vector. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, implying limited current exploit activity, but host systems running untrusted Wasm code remain at risk of accidental data disclosure.

Generated by OpenCVE AI on April 9, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 36.0.7, 42.0.2, 43.0.1 or later

Generated by OpenCVE AI on April 9, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m9w2-8782-2946 Wasmtime has host data leakage with 64-bit tables and Winch
History

Mon, 20 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime leaks host data with 64-bit tables and Winch
Weaknesses CWE-681
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:12:18.460Z

Reserved: 2026-03-31T17:27:08.661Z

Link: CVE-2026-34945

cve-icon Vulnrichment

Updated: 2026-04-10T14:12:15.289Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:24.330

Modified: 2026-04-20T18:26:39.900

Link: CVE-2026-34945

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:40:48Z

Links: CVE-2026-34945 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:39Z

Weaknesses