Description
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the pooling allocator incorrectly deduced at runtime that resetting virtual memory permissions was not necessary while compile-time determine that virtual memory could be relied upon. The pooling allocator must be in use, Config::memory_guard_size configuration option must be 0, Config::memory_reservation configuration must be less than 4GiB, and pooling allocator must be configured with max_memory_size the same as the memory_reservation value in order to exploit this vulnerability. If all of these conditions are applicable then when a linear memory is reused the VM permissions of the previous iteration are not reset. This means that the compiled code, which is assuming out-of-bounds loads will segfault, will not actually segfault and can read the previous contents of linear memory if it was previously mapped. This represents a data leakage vulnerability between guest WebAssembly instances which breaks WebAssembly's semantics and additionally breaks the sandbox that Wasmtime provides. Wasmtime is not vulnerable to this issue with its default settings, nor with the default settings of the pooling allocator, but embeddings are still allowed to configure these values to cause this vulnerability. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Data Leakage
Action: Apply Patch
AI Analysis

Impact

Wasmtime's pooling allocator may allow the contents of linear memory to leak from one guest instance to the next when certain configuration values diverge between compile time and runtime. The bug arises when the runtime incorrectly determines that virtual-memory permissions need not be reset, allowing previously mapped data to be read by an out-of-bounds load. This enables a guest module to read memory contents that belong to an earlier instance, thus violating WebAssembly's isolation guarantees and leaking confidential data.

Affected Systems

Bytecodealliance Wasmtime versions 28.0.0 through 36.0.6, 42.0.0–42.0.1, and 43.0.0 are affected; the flaw is patched in 36.0.7, 42.0.2, and 43.0.1 and any newer releases. The issue does not affect the default configuration, but applications that enable the pooling allocator with Config::memory_guard_size set to 0, Config::memory_reservation below 4 GiB, and max_memory_size equal to memory_reservation may be exposed.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity; the EPSS score is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the pooling allocator to be active, Config::memory_guard_size set to 0, Config::memory_reservation under 4 GiB, and max_memory_size equal to memory_reservation. These conditions are not part of the default configuration, so an attacker would need to control the embedding environment or supply specially crafted WebAssembly modules. When the conditions are met, a canary-free out-of-bounds load can read data left behind in linear memory, leading to information disclosure rather than denial-of-service or remote code execution. Because the bug only affects data isolation, the risk to most deployments that use the default settings is minimal, but any custom configuration that uses the pooling allocator with the specific parameter set is vulnerable.

Generated by OpenCVE AI on April 10, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to a version that includes the fix (36.0.7, 42.0.2, 43.0.1 or later).
  • If an upgrade is not yet possible, disable the pooling allocator or configure it so that Config::memory_guard_size is not set to 0, Config::memory_reservation is 4 GiB or higher, or max_memory_size differs from memory_reservation, thereby preventing the conditions that enable the leak.

Generated by OpenCVE AI on April 10, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6wgr-89rj-399p Wasmtime has data leakage between pooling allocator instances
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
cpe:2.3:a:bytecodealliance:wasmtime:43.0.0:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the pooling allocator incorrectly deduced at runtime that resetting virtual memory permissions was not necessary while compile-time determine that virtual memory could be relied upon. The pooling allocator must be in use, Config::memory_guard_size configuration option must be 0, Config::memory_reservation configuration must be less than 4GiB, and pooling allocator must be configured with max_memory_size the same as the memory_reservation value in order to exploit this vulnerability. If all of these conditions are applicable then when a linear memory is reused the VM permissions of the previous iteration are not reset. This means that the compiled code, which is assuming out-of-bounds loads will segfault, will not actually segfault and can read the previous contents of linear memory if it was previously mapped. This represents a data leakage vulnerability between guest WebAssembly instances which breaks WebAssembly's semantics and additionally breaks the sandbox that Wasmtime provides. Wasmtime is not vulnerable to this issue with its default settings, nor with the default settings of the pooling allocator, but embeddings are still allowed to configure these values to cause this vulnerability. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime leaks data between pooling allocator instances
Weaknesses CWE-119
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T19:31:07.544Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34988

cve-icon Vulnrichment

Updated: 2026-04-09T19:31:00.578Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:25.160

Modified: 2026-04-15T13:14:31.920

Link: CVE-2026-34988

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:52:26Z

Links: CVE-2026-34988 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:54Z

Weaknesses