CVE-2026-34946: CWE-670: Always-Incorrect Control Flow Implementation in bytecodealliance wasmtime
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AI Analysis
Technical Summary
Wasmtime is a WebAssembly runtime whose Winch compiler versions 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1 contain a vulnerability in the compilation of the table.fill instruction. A historical refactoring changed table referencing but failed to update Winch's code paths, causing incorrect indexing of tables. This can lead to the use of nonexistent tables, resulting in a host panic (denial of service) or spec-incorrect behavior where the wrong table is modified. The vulnerability affects all architectures supported by Wasmtime. It is identified as CWE-670 (Always-Incorrect Control Flow Implementation). The CVSS 4.0 score is 5.9 (medium severity). Fixes are included in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1.
Potential Impact
The vulnerability allows a valid WebAssembly guest module to cause the Wasmtime host to panic, resulting in denial of service. There is no indication of code execution or data corruption beyond incorrect table usage and host panic. This impacts availability of the Wasmtime runtime on affected versions.
Mitigation Recommendations
Fixes for this vulnerability are included in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these fixed versions to remediate the issue. Patch status is not explicitly confirmed in the advisory; therefore, verify with the vendor for the latest remediation guidance. No other mitigations are specified.
CVE-2026-34946: CWE-670: Always-Incorrect Control Flow Implementation in bytecodealliance wasmtime
Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Wasmtime is a WebAssembly runtime whose Winch compiler versions 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1 contain a vulnerability in the compilation of the table.fill instruction. A historical refactoring changed table referencing but failed to update Winch's code paths, causing incorrect indexing of tables. This can lead to the use of nonexistent tables, resulting in a host panic (denial of service) or spec-incorrect behavior where the wrong table is modified. The vulnerability affects all architectures supported by Wasmtime. It is identified as CWE-670 (Always-Incorrect Control Flow Implementation). The CVSS 4.0 score is 5.9 (medium severity). Fixes are included in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1.
Potential Impact
The vulnerability allows a valid WebAssembly guest module to cause the Wasmtime host to panic, resulting in denial of service. There is no indication of code execution or data corruption beyond incorrect table usage and host panic. This impacts availability of the Wasmtime runtime on affected versions.
Mitigation Recommendations
Fixes for this vulnerability are included in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these fixed versions to remediate the issue. Patch status is not explicitly confirmed in the advisory; therefore, verify with the vendor for the latest remediation guidance. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T17:27:08.661Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7f88c1cc7ad14da0c16fd
Added to database: 4/9/2026, 7:05:48 PM
Last enriched: 4/9/2026, 7:21:51 PM
Last updated: 4/10/2026, 8:15:50 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.