CVE-2026-34987

Published: Apr 09, 2026 Last Modified: Apr 15, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,0
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
CRITICAL 9,9
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0004
Percentile
0,1th
Updated

EPSS Score Trend (Last 7 Days)

125

Out-of-bounds Read

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Availability Other
Potential Impacts:
Read Memory Bypass Protection Mechanism Dos: Crash, Exit, Or Restart Varies By Context
Applicable Platforms
Languages: C, C++, Memory-Unsafe
Technologies: ICS/OT
View CWE Details
787

Out-of-bounds Write

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Other
Potential Impacts:
Modify Memory Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Unexpected State
Applicable Platforms
Languages: Assembly, C, C++, Memory-Unsafe
Technologies: ICS/OT
Likelihood of Exploit: High
View CWE Details
Application

Wasmtime by Bytecodealliance

Product Information
Vendor Bytecodealliance
Product Wasmtime
Version Range Affected
From 37.0.0 (inclusive)
To 42.0.2 (exclusive)
cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Wasmtime by Bytecodealliance

Product Information
Vendor Bytecodealliance
Product Wasmtime
Version 43.0.0
cpe:2.3:a:bytecodealliance:wasmtime:43.0.0:*:*:*:*:rust:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Wasmtime by Bytecodealliance

Product Information
Vendor Bytecodealliance
Product Wasmtime
Version Range Affected
From 25.0.0 (inclusive)
To 36.0.7 (exclusive)
cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/bytecodealliance/wasmtime/security/advis…
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6…