CVE-2026-34945: CWE-681: Incorrect Conversion between Numeric Types in bytecodealliance wasmtime
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AI Analysis
Technical Summary
Wasmtime's Winch compiler incorrectly handled the table.size instruction for 64-bit tables, returning a 32-bit integer statically rather than using the table's index type. This type mismatch allowed WebAssembly guests to read data from the host's stack, which may contain sensitive information. The bug arises from the ABI details, including multi-value returns, enabling stack data disclosure. The vulnerability affects multiple Wasmtime version ranges prior to 36.0.7, 42.0.2, and 43.0.1, where the issue has been fixed.
Potential Impact
The vulnerability could lead to disclosure of sensitive data from the host's stack to WebAssembly guests. However, the CVSS score of 2.3 and the low severity rating indicate that the impact is limited and exploitation complexity is relatively high. There are no known exploits in the wild.
Mitigation Recommendations
A fix is available in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these versions or later to remediate this vulnerability. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are indicated.
CVE-2026-34945: CWE-681: Incorrect Conversion between Numeric Types in bytecodealliance wasmtime
Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Wasmtime's Winch compiler incorrectly handled the table.size instruction for 64-bit tables, returning a 32-bit integer statically rather than using the table's index type. This type mismatch allowed WebAssembly guests to read data from the host's stack, which may contain sensitive information. The bug arises from the ABI details, including multi-value returns, enabling stack data disclosure. The vulnerability affects multiple Wasmtime version ranges prior to 36.0.7, 42.0.2, and 43.0.1, where the issue has been fixed.
Potential Impact
The vulnerability could lead to disclosure of sensitive data from the host's stack to WebAssembly guests. However, the CVSS score of 2.3 and the low severity rating indicate that the impact is limited and exploitation complexity is relatively high. There are no known exploits in the wild.
Mitigation Recommendations
A fix is available in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these versions or later to remediate this vulnerability. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T17:27:08.661Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7f88c1cc7ad14da0c16fa
Added to database: 4/9/2026, 7:05:48 PM
Last enriched: 4/9/2026, 7:21:56 PM
Last updated: 4/10/2026, 7:20:56 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.