DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34971: CVE-2026-34971: Critical Sandbox Escape via Cranelift Miscompilation on AArch64

#security #cve #cybersecurity

CVE-2026-34971: Critical Sandbox Escape via Cranelift Miscompilation on AArch64

Vulnerability ID: CVE-2026-34971
CVSS Score: 9.0
Published: 2026-04-09

A miscompilation vulnerability in the Wasmtime Cranelift compilation backend for AArch64 allows an attacker to achieve an out-of-bounds read and write, leading to a complete sandbox escape.

TL;DR

A logic error in Cranelift's ISLE rules on AArch64 causes memory access miscompilation when Spectre mitigations are disabled. This results in divergent bounds checking and memory loading, enabling out-of-bounds memory access and sandbox escapes.

Technical Details

  • CWE ID: CWE-125, CWE-787
  • Attack Vector: Network / Arbitrary WebAssembly Module
  • CVSS v4.0: 9.0
  • Impact: Sandbox Escape / Remote Code Execution
  • Architecture: AArch64 (ARM64)
  • Exploit Status: Unpublished
  • KEV Status: Not Listed

Affected Systems

  • Wasmtime Runtime (AArch64 instances)
  • Cranelift Compilation Backend
  • Wasmtime: >= 32.0.0, < 36.0.7 (Fixed in: 36.0.7)
  • Wasmtime: >= 37.0.0, < 42.0.2 (Fixed in: 42.0.2)
  • Wasmtime: 43.0.0 (Fixed in: 43.0.1)

Code Analysis

Commit: 96dde3a

Fix miscompilation of shifted index on AArch64 by capturing correct shift_ty in ISLE rule.

-(rule 6 (amode_no_more_iconst ty (iadd x (ishl y (iconst (u64_from_imm64 n)))) offset)
-        (if-let true (u64_eq (ty_bytes ty) (u64_wrapping_shl 1 (shift_masked_imm ty n))))
+(rule 6 (amode_no_more_iconst ty (iadd x (ishl y @ (value_type shift_ty) (iconst (u64_from_imm64 n)))) offset)
+        (if-let true (u64_eq (ty_bytes ty) (u64_wrapping_shl 1 (shift_masked_imm shift_ty n))))
         (amode_reg_scaled (amode_add x offset) y))
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update Wasmtime runtime to patched versions
  • Enable Spectre mitigations within Wasmtime configuration
  • Disable Config::wasm_memory64 if not strictly required

Remediation Steps:

  1. Identify all systems running Wasmtime on AArch64 architectures.
  2. Audit the configuration objects passed to Wasmtime to verify the state of Spectre mitigations and wasm_memory64 settings.
  3. Update wasmtime crate dependencies in Cargo.toml to version 36.0.7, 42.0.2, or 43.0.1.
  4. Recompile and redeploy the host applications incorporating the updated runtime.

References

Read the full report for CVE-2026-34971 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)