CVE-2026-34988

Name of the Vulnerable Software and Affected Versions Wasmtime versions 28.0.0 through 36.0.6, 42.0.2 and 43.0.1

Description Wasmtime's pooling allocator implementation contains a flaw where linear memory contents can leak between WebAssembly instances under specific configurations. This occurs due to an incorrect predicate used for resetting virtual memory permissions, leading to a divergence between compile-time and runtime behavior. The vulnerability requires the pooling allocator to be in use, Config::memory guard size to be 0, Config::memory reservation to be less than 4GiB, and max memory size to equal memory reservation. When these conditions are met, reused linear memory may not have its VM permissions reset, allowing compiled code to read previous memory contents instead of triggering a segfault. This represents a data leakage issue that compromises WebAssembly semantics and the Wasmtime sandbox.

Recommendations Update to Wasmtime version 36.0.7, 42.0.2, or 43.0.1.