CVE-2026-34987 | bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0 out-of-bounds (GHSA-xx5w-cvp6-jv83)

VDB-356664 · CVE-2026-34987 · GHSA-XX5W-CVP6-JV83 BYTECODEALLIANCE WASMTIME UP TO 36.0.6/42.0.1/44.0.0 OUT-OF-BOUNDS HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.0 $0-$5k 0.84 Summaryinfo A vulnerability classified as problematic was found in bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0. Affected by this vulnerability is an unknown functionality. The manipulation results in out-of-bounds. This vulnerability is cataloged as CVE-2026-34987. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised. Detailsinfo A vulnerability, which was classified as critical, was found in bytecodealliance wasmtime up to 36.0.6/42.0.1/44.0.0. Affected is an unknown function. The manipulation with an unknown input leads to a out-of-bounds vulnerability. CWE is classifying the issue as CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes: Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-34987 since 03/31/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. There are neither technical details nor an exploit publicly available. Upgrading to version 36.0.7, 42.0.2 or 44.0.1 eliminates this vulnerability. Productinfo Vendor bytecodealliance Name wasmtime Version 36.0.0 36.0.1 36.0.2 36.0.3 36.0.4 36.0.5 36.0.6 42.0.0 42.0.1 44.0 Website Product: https://github.com/bytecodealliance/wasmtime/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 6.3 VulDB Meta Temp Score: 6.0 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Out-of-bounds CWE: CWE-125 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: wasmtime 36.0.7/42.0.2/44.0.1 Timelineinfo 03/31/2026 CVE reserved 04/09/2026 +9 days Advisory disclosed 04/09/2026 +0 days VulDB entry created 04/09/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-xx5w-cvp6-jv83 Status: Confirmed CVE: CVE-2026-34987 (🔒) GCVE (CVE): GCVE-0-2026-34987 GCVE (VulDB): GCVE-100-356664 Entryinfo Created: 04/09/2026 22:04 Changes: 04/09/2026 22:04 (67) Complete: 🔍 Cache ID: 99:77F:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸