CVE-2026-34987: CWE-125: Out-of-bounds Read in bytecodealliance wasmtime
CVE-2026-34987 is a critical out-of-bounds read vulnerability in the Wasmtime WebAssembly runtime when using the non-default Winch compiler backend. It allows a specially crafted WebAssembly guest to access host memory outside its sandbox, potentially leading to data leaks, process crashes, or remote code execution. The flaw arises from incorrect assumptions about 32-bit memory offsets in 64-bit registers. This vulnerability affects Wasmtime versions from 25. 0. 0 up to but not including 36. 0. 7, 42. 0. 2, and 43.
AI Analysis
Technical Summary
Wasmtime is a WebAssembly runtime that supports multiple compiler backends, including Cranelift (default) and Winch (non-default). CVE-2026-34987 is an out-of-bounds read vulnerability in Wasmtime's Winch backend present in versions >=25.0.0 and <36.0.7, >=37.0.0 and <42.0.2, and >=43.0.0 and <44.0.1. The vulnerability allows a guest Wasm module compiled with Winch to access host memory outside its linear-memory sandbox due to improper handling of 32-bit offsets stored in 64-bit registers. This can lead to reading memory before or after the linear memory region, with a proof-of-concept demonstrated on aarch64 and theoretical impact on x86-64. Potential impacts include host process crashes (DoS), arbitrary data leaks, or remote code execution if writes are possible. The issue is resolved in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1.
Potential Impact
Exploitation of this vulnerability can allow a WebAssembly guest using the Winch compiler backend to read or potentially write outside its allocated memory sandbox. This can cause segmentation faults resulting in denial of service, leak sensitive host process memory, or lead to arbitrary remote code execution. The vulnerability is critical with a CVSS 4.0 score of 9.0, reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these versions or later to remediate this vulnerability. Since the vulnerability only affects the Winch compiler backend, avoiding use of this backend or using the default Cranelift backend can mitigate risk. Patch status is confirmed by the version ranges fixed. No vendor advisory content contradicts this guidance.
CVE-2026-34987: CWE-125: Out-of-bounds Read in bytecodealliance wasmtime
Description
CVE-2026-34987 is a critical out-of-bounds read vulnerability in the Wasmtime WebAssembly runtime when using the non-default Winch compiler backend. It allows a specially crafted WebAssembly guest to access host memory outside its sandbox, potentially leading to data leaks, process crashes, or remote code execution. The flaw arises from incorrect assumptions about 32-bit memory offsets in 64-bit registers. This vulnerability affects Wasmtime versions from 25. 0. 0 up to but not including 36. 0. 7, 42. 0. 2, and 43.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Wasmtime is a WebAssembly runtime that supports multiple compiler backends, including Cranelift (default) and Winch (non-default). CVE-2026-34987 is an out-of-bounds read vulnerability in Wasmtime's Winch backend present in versions >=25.0.0 and <36.0.7, >=37.0.0 and <42.0.2, and >=43.0.0 and <44.0.1. The vulnerability allows a guest Wasm module compiled with Winch to access host memory outside its linear-memory sandbox due to improper handling of 32-bit offsets stored in 64-bit registers. This can lead to reading memory before or after the linear memory region, with a proof-of-concept demonstrated on aarch64 and theoretical impact on x86-64. Potential impacts include host process crashes (DoS), arbitrary data leaks, or remote code execution if writes are possible. The issue is resolved in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1.
Potential Impact
Exploitation of this vulnerability can allow a WebAssembly guest using the Winch compiler backend to read or potentially write outside its allocated memory sandbox. This can cause segmentation faults resulting in denial of service, leak sensitive host process memory, or lead to arbitrary remote code execution. The vulnerability is critical with a CVSS 4.0 score of 9.0, reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fix is available in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these versions or later to remediate this vulnerability. Since the vulnerability only affects the Winch compiler backend, avoiding use of this backend or using the default Cranelift backend can mitigate risk. Patch status is confirmed by the version ranges fixed. No vendor advisory content contradicts this guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T19:38:31.617Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7f88c1cc7ad14da0c1706
Added to database: 4/9/2026, 7:05:48 PM
Last enriched: 4/9/2026, 7:20:51 PM
Last updated: 4/9/2026, 9:26:33 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.