Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (host panic)
Action: Patch
AI Analysis

Impact

The Winch compiler in Wasmtime incorrectly processes the WASM table.fill instruction after a refactoring change, causing it to use an invalid table indexing scheme. When executed, the compiled code can reference a non‑existent or wrong table, leading the host process to panic. This crash results in a denial‑of‑service condition that halts the Wasmtime runtime.

Affected Systems

All Wasmtime releases from 25.0.0 up to, but excluding, 36.0.7, as well as earlier versions of 42.0.2 and 43.0.1 before the patch, are vulnerable. The vulnerability affects the bytecodealliance wasmtime product across all supported architectures.

Risk and Exploitability

The CVSS score of 5.9 categorizes the issue as moderate in severity, and the EPSS score is not publicly available. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed mass exploitation yet. Nonetheless, the attack vector is straightforward: any WebAssembly module compiled with Winch that contains a table.fill instruction can trigger a host panic. An attacker only needs to supply such a module, making the exploitation conditions minimal and the risk to services accepting untrusted WebAssembly payloads significant.

Generated by OpenCVE AI on April 10, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 36.0.7 or newer, or to the fixed 42.0.2 or 43.0.1 releases that contain the patch for this issue.
  • If an upgrade cannot be performed immediately, block or disable WebAssembly execution that relies on the Winch compiler until the fix is applied.
  • Verify the current Wasmtime version on all systems to confirm it includes the security update.
  • Keep monitoring the vendor’s advisories for any additional patches or guidance related to this vulnerability.

Generated by OpenCVE AI on April 10, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q49f-xg75-m9xw Wasmtime has host panic when Winch compiler executes `table.fill`
History

Mon, 20 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime's host panics when Winch compiler executes `table.fill`
Weaknesses CWE-670
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T19:33:33.709Z

Reserved: 2026-03-31T17:27:08.661Z

Link: CVE-2026-34946

cve-icon Vulnrichment

Updated: 2026-04-09T19:33:28.791Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:24.490

Modified: 2026-04-20T18:26:23.550

Link: CVE-2026-34946

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:43:39Z

Links: CVE-2026-34946 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:38Z

Weaknesses