Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit value. This invalid internal representation of Winch's compiler state compounds into further issues depending on how the value is consumed. The primary consequence of this bug is that bytes in the host's address space can be stored/read from. This is only applicable to the 16 bytes before linear memory, however, as the only significant return value of table.grow that can be misinterpreted is -1. The bytes before linear memory are, by default, unmapped memory. Wasmtime will detect this fault and abort the process, however, because wasm should not be able to access these bytes. Overall this this bug in Winch represents a DoS vector by crashing the host process, a correctness issue within Winch, and a possible leak of up to 16-bytes before linear memory. Wasmtime's default compiler is Cranelift, not Winch, and Wasmtime's default settings are to place guard pages before linear memory. This means that Wasmtime's default configuration is not affected by this issue, and when explicitly choosing Winch Wasmtime's otherwise default configuration leads to a DoS. Disabling guard pages before linear memory is required to possibly leak up to 16-bytes of host data. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and possible 16‑byte memory leak
Action: Apply Patch
AI Analysis

Impact

Wasmtime, a WebAssembly runtime, contains a bug in its Winch compiler backend that causes the table.grow operator to return a value incorrectly typed as 64‑bit instead of 32‑bit for 32‑bit tables. This mis‑typed value creates an invalid internal state that may lead the host to read or write up to 16 bytes of memory preceding the linear memory region. Because Wasmtime’s default configuration places unmapped guard pages before linear memory, the bug usually aborts the process, resulting in a denial‑of‑service and a potential leak of limited host memory. The vulnerability exists in releases from 25.0.0 through just before 36.0.7, and in earlier 42 and 43 series releases before 42.0.2 and 43.0.1.

Affected Systems

Bytecodealliance’s Wasmtime runtime is affected. Vulnerable releases include versions from 25.0.0 up to 35.x, earlier 42 releases before 42.0.2, and earlier 43 releases before 43.0.1. The bug is fixed in Wasmtime 36.0.7, 42.0.2, and 43.0.1 or later.

Risk and Exploitability

The CVSS base score for this issue is 6.1, indicating moderate severity. The lack of a publicly available EPSS score and its absence from the CISA Known Exploited Vulnerabilities catalog reduce the perceived risk profile. However, exploitation requires the victim to run WebAssembly code compiled with the Winch backend and to either omit the default guard pages that precede linear memory or to disable them. Because the exploit depends on a specific compiler backend state, it is less likely to succeed against a properly configured deployment but still represents a non‑negligible Denial‑of‑Service risk.

Generated by OpenCVE AI on April 10, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Wasmtime to the latest release (36.0.7, 42.0.2, or 43.0.1 or newer).
  • Do not use the Winch compiler backend unless it is configured to retain guard pages before linear memory.
  • Re‑enable guard pages before linear memory if the Winch backend must be used.

Generated by OpenCVE AI on April 10, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f984-pcp8-v2p7 Wasmtime has improperly masked return value from `table.grow` with Winch compiler backend
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:H'}

threat_severity

Moderate

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit value. This invalid internal representation of Winch's compiler state compounds into further issues depending on how the value is consumed. The primary consequence of this bug is that bytes in the host's address space can be stored/read from. This is only applicable to the 16 bytes before linear memory, however, as the only significant return value of table.grow that can be misinterpreted is -1. The bytes before linear memory are, by default, unmapped memory. Wasmtime will detect this fault and abort the process, however, because wasm should not be able to access these bytes. Overall this this bug in Winch represents a DoS vector by crashing the host process, a correctness issue within Winch, and a possible leak of up to 16-bytes before linear memory. Wasmtime's default compiler is Cranelift, not Winch, and Wasmtime's default settings are to place guard pages before linear memory. This means that Wasmtime's default configuration is not affected by this issue, and when explicitly choosing Winch Wasmtime's otherwise default configuration leads to a DoS. Disabling guard pages before linear memory is required to possibly leak up to 16-bytes of host data. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime has an improperly masked return value from `table.grow` with Winch compiler backend
Weaknesses CWE-789
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T18:54:48.760Z

Reserved: 2026-04-01T17:26:21.134Z

Link: CVE-2026-35186

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T19:16:25.343

Modified: 2026-04-09T19:16:25.343

Link: CVE-2026-35186

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:54:48Z

Links: CVE-2026-35186 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:53Z

Weaknesses