DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34945: CVE-2026-34945: Host Stack Memory Leak via Type Confusion in Wasmtime Winch Compiler

#security #cve #cybersecurity

CVE-2026-34945: Host Stack Memory Leak via Type Confusion in Wasmtime Winch Compiler

Vulnerability ID: CVE-2026-34945
CVSS Score: 2.3
Published: 2026-04-09

The Wasmtime WebAssembly runtime is affected by a type confusion vulnerability in its Winch compiler backend when processing the table.size instruction. When the memory64 proposal is enabled, this flaw allows a malicious guest WebAssembly module to read uninitialized host stack memory, potentially leaking sensitive host data.

TL;DR

A static typing error in the Wasmtime Winch compiler results in a failure to fully initialize a 64-bit register when evaluating the size of 64-bit tables. This leaks 32 bits of uninitialized host stack data to the guest module, tracked as CVE-2026-34945.

Technical Details

  • CWE ID: CWE-681
  • Attack Vector: Network
  • CVSS v4.0 Score: 2.3 (Low)
  • Exploit Status: None
  • KEV Status: Not Listed
  • Affected Component: Winch Compiler Instruction Emitter

Affected Systems

  • Wasmtime WebAssembly Runtime (Winch Compiler Backend)
  • Wasmtime: >= 25.0.0, < 36.0.7 (Fixed in: 36.0.7)
  • Wasmtime: >= 37.0.0, < 42.0.2 (Fixed in: 42.0.2)
  • Wasmtime: >= 43.0.0, < 43.0.1 (Fixed in: 43.0.1)

Code Analysis

Commit: 96dde3a

Fix table.size instruction emitter to query correct index type instead of hardcoding i32, preventing uninitialized memory leaks.

fn visit_table_size(&mut self, table: u32) -> Self::Output {
-    self.context.stack.push(TypedReg::i32(size).into());
+    let dst = TypedReg::new(table_data.index_type(), size);
+    self.context.stack.push(dst.into());
}
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Wasmtime to a patched release (36.0.7, 42.0.2, or 43.0.1).
  • Disable the memory64 WebAssembly proposal in the Wasmtime engine configuration.
  • Switch the compiler backend from Winch to the default Cranelift compiler.

Remediation Steps:

  1. Identify all production and testing environments running Wasmtime.
  2. Review the engine configuration blocks to determine if Config::compiler_builder specifies Winch.
  3. Review the engine configuration to determine if Config::wasm_memory64 is set to true.
  4. Update the wasmtime dependency in Cargo.toml to version 36.0.7, 42.0.2, or 43.0.1.
  5. Recompile the host application and redeploy.

References

Read the full report for CVE-2026-34945 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)