CVE-2026-34971

Name of the Vulnerable Software and Affected Versions Wasmtime versions 32.0.0 through 36.0.6, 42.0.2, and 43.0.1

Description Wasmtime's Cranelift compilation backend has a flaw on aarch64 architectures when handling specific heap access patterns. This can lead to incorrect address calculations, potentially allowing a WebAssembly module to bypass bounds checks and read or write to arbitrary host memory. This is a sandbox escape issue. The issue occurs with 64-bit WebAssembly linear memories when Config::wasm memory64 is enabled, and when Spectre mitigations or signals-based-traps are disabled. The root cause is a miscompilation of a load operation of the form load(iadd(base, ishl(index, amt))) where amt is a constant, due to an incorrect mask during instruction selection.

Recommendations Update to Wasmtime version 36.0.7 or later, 42.0.2, or 43.0.1.