CVE-2026-34988 | bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 memory_guard_size memory corruption (GHSA-6wgr-89rj-399p)

VDB-356669 · CVE-2026-34988 · GHSA-6WGR-89RJ-399P BYTECODEALLIANCE WASMTIME UP TO 36.0.6/42.0.1/44.0.0 MEMORY_GUARD_SIZE MEMORY CORRUPTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.0 $0-$5k 0.95 Summaryinfo A vulnerability was found in bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0. It has been classified as critical. Impacted is the function Config::memory_guard_size. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2026-34988. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended. Detailsinfo A vulnerability was found in bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0. It has been rated as problematic. This issue affects the function Config::memory_guard_size. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality. The summary by CVE is: Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the pooling allocator incorrectly deduced at runtime that resetting virtual memory permissions was not necessary while compile-time determine that virtual memory could be relied upon. The pooling allocator must be in use, Config::memory_guard_size configuration option must be 0, Config::memory_reservation configuration must be less than 4GiB, and pooling allocator must be configured with max_memory_size the same as the memory_reservation value in order to exploit this vulnerability. If all of these conditions are applicable then when a linear memory is reused the VM permissions of the previous iteration are not reset. This means that the compiled code, which is assuming out-of-bounds loads will segfault, will not actually segfault and can read the previous contents of linear memory if it was previously mapped. This represents a data leakage vulnerability between guest WebAssembly instances which breaks WebAssembly's semantics and additionally breaks the sandbox that Wasmtime provides. Wasmtime is not vulnerable to this issue with its default settings, nor with the default settings of the pooling allocator, but embeddings are still allowed to configure these values to cause this vulnerability. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-34988 since 03/31/2026. The exploitation is known to be difficult. The attack may be initiated remotely. Technical details are known, but no exploit is available. Upgrading to version 36.0.7, 42.0.2 or 44.0.1 eliminates this vulnerability. Productinfo Vendor bytecodealliance Name wasmtime Version 36.0.0 36.0.1 36.0.2 36.0.3 36.0.4 36.0.5 36.0.6 42.0.0 42.0.1 44.0 Website Product: https://github.com/bytecodealliance/wasmtime/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 3.1 VulDB Meta Temp Score: 3.0 VulDB Base Score: 3.1 VulDB Temp Score: 3.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Memory corruption CWE: CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: wasmtime 36.0.7/42.0.2/44.0.1 Timelineinfo 03/31/2026 CVE reserved 04/09/2026 +9 days Advisory disclosed 04/09/2026 +0 days VulDB entry created 04/09/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-6wgr-89rj-399p Status: Confirmed CVE: CVE-2026-34988 (🔒) GCVE (CVE): GCVE-0-2026-34988 GCVE (VulDB): GCVE-100-356669 Entryinfo Created: 04/09/2026 22:04 Changes: 04/09/2026 22:04 (68) Complete: 🔍 Cache ID: 99:53B:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸