CVE-2026-34945

CVE-2026-34945 is a medium-severity vulnerability in Bytecodealliance Wasmtime with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-681.

Key facts

Description

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

Frequently asked questions

What is CVE-2026-34945?
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
How severe is CVE-2026-34945?
CVE-2026-34945 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2026-34945 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (24th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-34945?
CVE-2026-34945 affects Bytecodealliance Wasmtime. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-34945?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-34945 have an EU (EUVD) identifier?
Yes. CVE-2026-34945 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-21024.
When was CVE-2026-34945 published?
CVE-2026-34945 was published on 2026-04-09 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Bytecodealliance Wasmtime

All CVEs affecting Bytecodealliance Wasmtime →

Other CWE-681 vulnerabilities

Browse all CWE-681 vulnerabilities →