CVE-2026-34987

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Wasmtime versions 25.0.0 through 36.0.6, 42.0.2, and 43.0.1

Description Wasmtime, a runtime for WebAssembly, may allow guest WebAssembly code to access host memory outside of its designated sandbox when using the Winch compiler backend. This occurs due to an incorrect assumption in the Winch compiler regarding memory offsets, potentially allowing access to memory before or after the linear-memory region. This could lead to a denial-of-service (DoS) condition, data leakage, or potentially remote code execution (RCE). The aarch64 case has a working proof of concept, while the x86-64 case is theoretical.

Recommendations Update to Wasmtime version 36.0.7, 42.0.2, or 43.0.1.

Fix

Out of bounds Read

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-787

Related Identifiers

CVE-2026-34987

GHSA-XX5W-CVP6-JV83

RUSTSEC-2026-0095

Affected Products

Wasmtime

CVE-2026-34987

Weakness Enumeration

Related Identifiers

Affected Products

References · 16