CVE-2026-35186

Name of the Vulnerable Software and Affected Versions Wasmtime versions 25.0.0 through 36.0.6, 42.0.2, and 43.0.1

Description Wasmtime, a runtime for WebAssembly, has an issue in its Winch compiler backend where the translation of the table.grow operator results in an incorrect type. Specifically, for 32-bit tables, the result is tagged as a 64-bit value instead of a 32-bit value within Winch. This can lead to a denial of service (DoS) by crashing the host process, a correctness issue within Winch, and a potential leak of up to 16 bytes before linear memory. The vulnerability is exploitable when guard pages before linear memory are disabled. The default compiler for Wasmtime is Cranelift, and the default configuration includes guard pages, meaning the default configuration is not affected.

Recommendations Update to Wasmtime version 36.0.7, 42.0.2, or 43.0.1.