CVE-2026-34945

Name of the Vulnerable Software and Affected Versions Wasmtime versions 25.0.0 through 36.0.6, 42.0.2, and 43.0.1

Description Wasmtime's Winch compiler has a flaw in how it handles the table.size instruction with 64-bit tables, part of the WebAssembly memory64 proposal. This can lead to the disclosure of data from the host's stack to WebAssembly guests. The host stack may contain sensitive data from other operations that should not be accessible to guests. The issue stems from the table.size return value being incorrectly typed as a 32-bit integer instead of dynamically determining its size based on the table's index type. This, combined with Winch's Application Binary Interface (ABI) and multi-value returns, allows reading host stack data within a guest.

Recommendations Update to Wasmtime version 36.0.7, 42.0.2, or 43.0.1.