CVE-2026-34946

Name of the Vulnerable Software and Affected Versions Wasmtime versions 25.0.0 through 36.0.6, 42.0.2, and 43.0.1

Description Wasmtime, a runtime for WebAssembly, contains an issue where the compilation of the table.fill instruction using the Winch compiler can lead to a host panic. A valid guest compiled with Winch can trigger this panic, resulting in a denial-of-service condition. The root cause is a refactoring that altered how compiled code references tables within table.* instructions, but the Winch code paths were not updated accordingly, leading to an incorrect indexing scheme. This can cause tables to be mixed up or nonexistent tables to be used, ultimately resulting in a host panic.

Recommendations Update to Wasmtime version 36.0.7, 42.0.2, or 43.0.1.