CVE-2026-34945: CWE-681: Incorrect Conversion between Numeric Types in bytecodealliance wasmtime
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AI Analysis
Technical Summary
Wasmtime's Winch compiler incorrectly handled the table.size instruction for 64-bit tables, returning a 32-bit integer instead of the appropriate index type size. This numeric conversion error could lead to WebAssembly guests reading unintended data from the host's stack, which may include sensitive information from other host operations. The vulnerability arises from a static typing mistake combined with the ABI details of Winch, such as multi-value returns. Affected versions include Wasmtime releases from 25.0.0 up to but not including 36.0.7, 42.0.2, and 43.0.1. The issue is resolved in versions 36.0.7, 42.0.2, and 43.0.1.
Potential Impact
The vulnerability could allow a WebAssembly guest to read data from the host's stack that it should not have access to, potentially exposing sensitive host-originated data. However, the impact is limited by the low CVSS score (2.3) and the requirement for at least low privileges (PR:L) and partial attack complexity. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability has been fixed in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these versions or later to remediate the issue. Patch status is confirmed by the vendor advisory. No additional mitigation actions are indicated.
CVE-2026-34945: CWE-681: Incorrect Conversion between Numeric Types in bytecodealliance wasmtime
Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Wasmtime's Winch compiler incorrectly handled the table.size instruction for 64-bit tables, returning a 32-bit integer instead of the appropriate index type size. This numeric conversion error could lead to WebAssembly guests reading unintended data from the host's stack, which may include sensitive information from other host operations. The vulnerability arises from a static typing mistake combined with the ABI details of Winch, such as multi-value returns. Affected versions include Wasmtime releases from 25.0.0 up to but not including 36.0.7, 42.0.2, and 43.0.1. The issue is resolved in versions 36.0.7, 42.0.2, and 43.0.1.
Potential Impact
The vulnerability could allow a WebAssembly guest to read data from the host's stack that it should not have access to, potentially exposing sensitive host-originated data. However, the impact is limited by the low CVSS score (2.3) and the requirement for at least low privileges (PR:L) and partial attack complexity. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability has been fixed in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these versions or later to remediate the issue. Patch status is confirmed by the vendor advisory. No additional mitigation actions are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T17:27:08.661Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7f88c1cc7ad14da0c16fa
Added to database: 4/9/2026, 7:05:48 PM
Last enriched: 4/17/2026, 12:25:01 PM
Last updated: 5/25/2026, 12:20:25 PM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.