{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34945", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.661Z", "datePublished": "2026-04-09T18:40:48.446Z", "dateUpdated": "2026-04-10T14:12:18.460Z"}, "containers": {"cna": {"title": "Wasmtime leaks host data with 64-bit tables and Winch", "problemTypes": [{"descriptions": [{"cweId": "CWE-681", "lang": "en", "description": "CWE-681: Incorrect Conversion between Numeric Types", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": ">= 25.0.0, < 36.0.7", "status": "affected"}, {"version": ">= 37.0.0, < 42.0.2", "status": "affected"}, {"version": ">= 43.0.0, < 44.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:40:48.446Z"}, "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."}], "source": {"advisory": "GHSA-m9w2-8782-2946", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:12:11.204857Z", "id": "CVE-2026-34945", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:12:18.460Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34945", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:12:11.204857Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:12:15.289Z"}}], "cna": {"title": "Wasmtime leaks host data with 64-bit tables and Winch", "source": {"advisory": "GHSA-m9w2-8782-2946", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"status": "affected", "version": ">= 25.0.0, < 36.0.7"}, {"status": "affected", "version": ">= 37.0.0, < 42.0.2"}, {"status": "affected", "version": ">= 43.0.0, < 44.0.1"}]}], "references": [{"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946", "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-681", "description": "CWE-681: Incorrect Conversion between Numeric Types"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:40:48.446Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34945", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:12:18.460Z", "dateReserved": "2026-03-31T17:27:08.661Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T18:40:48.446Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."}], "id": "CVE-2026-34945", "lastModified": "2026-04-09T19:16:24.330", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T19:16:24.330", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation", "id": "2457004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457004"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-681", "details": ["A flaw was found in Wasmtime's Winch compiler. This vulnerability, present in versions from 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, arises from an incorrect translation of the `table.size` instruction for 64-bit WebAssembly tables. An attacker, by crafting a malicious WebAssembly guest, could exploit this flaw to read sensitive data from the host's stack. This information disclosure could expose data related to other host operations that should not be accessible to guests."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34945", "package_state": [{"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhcl-1-3-wasm-shim", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "virt-firmware-rs", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-04-09T18:40:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34945\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34945\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.0.0,36.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[37.0.0,42.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[43.0.0,44.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wasmtime", "source": "cna", "vendor": "bytecodealliance"}, "product": "wasmtime", "vendor": "bytecodealliance"}], "analysis": {"en": {"generated_at": "2026-04-09T22:05:19.627215+00:00", "value": {"mitigation_remediation": ["Upgrade Wasmtime to version 36.0.7, 42.0.2, 43.0.1 or later"], "summary": {"action": "Apply Patch", "impact": "Host Data Exposure"}, "threat_synthesis": {"affected_systems": "Bytecodealliance Wasmtime releases from 25.0.0 up to, but not including, 36.0.7, as well as the versions 42.0.2 and 43.0.1, contain the vulnerability. These releases have been corrected in 36.0.7, 42.0.2, and 43.0.1.", "description_and_impact": "A bug in Wasmtime\u2019s Winch compiler misinterprets the table.size instruction for 64\u2011bit tables, returning a 32\u2011bit value when the correct size is larger. This mismatch allows a WebAssembly guest to read data that resides on the host\u2019s stack, potentially exposing sensitive information that should remain hidden from untrusted guest code. The flaw represents an integer type mismatch weakness (CWE\u2011681).", "risk_and_exploitability": "The CVSS score of 2.3 indicates low overall risk. Based on the description, it is inferred that an attacker must be able to execute WebAssembly code within a vulnerable Wasmtime instance to trigger the leak, suggesting a local or controlled code execution scenario rather than a traditional remote attack vector. No EPSS data is available and the vulnerability is not listed in CISA\u2019s KEV catalog, implying limited current exploit activity, but host systems running untrusted Wasm code remain at risk of accidental data disclosure."}}}}, "created": "2026-04-10T08:39:16.099385+00:00", "updated": "2026-04-10T09:31:39.501982+00:00", "vendors": ["bytecodealliance", "bytecodealliance$PRODUCT$wasmtime"]}