CVE-2026-34946: CVE-2026-34946: Host Panic Denial of Service in Wasmtime Winch Compiler

#security #cve #cybersecurity

CVE-2026-34946: Host Panic Denial of Service in Wasmtime Winch Compiler

Vulnerability ID: CVE-2026-34946
CVSS Score: 5.9
Published: 2026-04-09

A moderate-severity vulnerability in the Wasmtime Winch compiler backend allows a malicious WebAssembly guest module to trigger a host panic via an out-of-bounds array access. The flaw stems from a regression during table index refactoring where Winch was not updated to distinguish between global and defined table indices.

TL;DR

Wasmtime's Winch compiler fails to properly translate global table indices to defined table indices during table.fill operations, allowing a guest module to crash the host runtime (DoS) by triggering a bounds check panic.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-670
Attack Vector: Network / Local Module Execution
CVSS v4.0 Score: 5.9 (Moderate)
Impact: Denial of Service (Host Panic)
Exploit Status: Proof of Concept Available
Remediation: Patch Available

Affected Systems

Wasmtime Runtime
Wasmtime Winch Compiler Backend
Wasmtime: >= 25.0.0, < 36.0.7 (Fixed in: 36.0.7)
Wasmtime: >= 37.0.0, < 42.0.2 (Fixed in: 42.0.2)
Wasmtime: >= 43.0.0, < 43.0.1 (Fixed in: 43.0.1)

Code Analysis

Commit: 96dde3a

Fix Winch table index translation (43.0.1 Backport)

Commit: 9d73a6e

Fix Winch table index translation (42.0.2 Backport)

Mitigation Strategies

Disable the Winch compiler backend and use Cranelift exclusively.
Implement pre-compilation validation to reject modules combining imported tables and table.fill operations.

Remediation Steps:

Identify the deployed version of the Wasmtime dependency.
Upgrade Wasmtime to version 36.0.7, 42.0.2, or 43.0.1 depending on the active major version track.
Recompile and deploy the host application.