DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34988: CVE-2026-34988: Cross-Guest Memory Leak in Wasmtime Pooling Allocator

#security #cve #cybersecurity

CVE-2026-34988: Cross-Guest Memory Leak in Wasmtime Pooling Allocator

Vulnerability ID: CVE-2026-34988
CVSS Score: 2.3
Published: 2026-04-09

The Wasmtime WebAssembly runtime contains a vulnerability in its pooling allocator that permits data leakage between guest instances. Due to a predicate mismatch in the memory reset logic, virtual memory protections are not properly restored when reusing execution slots under specific non-default configurations. This allows a subsequent guest instance to perform out-of-bounds reads and access residual data left in linear memory by a previous tenant.

TL;DR

Wasmtime's pooling allocator fails to reset virtual memory permissions during slot reuse under specific configurations, enabling subsequent WebAssembly instances to read residual memory from previous instances and bypass sandbox isolation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-119
  • Attack Vector: Network (Guest Module Execution)
  • CVSS Score: 2.3 (v4.0)
  • Impact: Cross-Instance Memory Leak
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Wasmtime WebAssembly Runtime
  • Wasmtime: 28.0.0 to < 36.0.7 (Fixed in: 36.0.7)
  • Wasmtime: 42.0.0 to < 42.0.2 (Fixed in: 42.0.2)
  • Wasmtime: 43.0.0 to < 43.0.1 (Fixed in: 43.0.1)

Code Analysis

Commit: 96dde3a

Fix memory permission reset logic in pooling allocator

Mitigation Strategies

  • Upgrade Wasmtime to versions 36.0.7, 42.0.2, or 43.0.1
  • Disable the pooling allocator to enforce standard OS memory allocation
  • Set Config::memory_guard_size to a non-zero value
  • Configure memory_reservation to a value distinct from max_memory_size

Remediation Steps:

  1. Identify all production applications utilizing the Wasmtime WebAssembly runtime.
  2. Audit Wasmtime configurations to determine if the pooling allocator is active and utilizing vulnerable memory parameters.
  3. Update dependencies in Cargo.toml or equivalent build manifests to reference Wasmtime 36.0.7, 42.0.2, or 43.0.1.
  4. Recompile and deploy the application, monitoring for instantiation performance stability.

References

Read the full report for CVE-2026-34988 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)