CVE-2026-34945 Overview
CVE-2026-34945 is an Information Disclosure vulnerability affecting Wasmtime, a runtime for WebAssembly. From versions 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests.
Critical Impact
Host stack data containing sensitive information from other host-originating operations may be unintentionally disclosed to WebAssembly guests, potentially compromising confidential data within the runtime environment.
Affected Products
- Wasmtime versions 25.0.0 to before 36.0.7
- Wasmtime versions 42.0.0 to before 42.0.2
- Wasmtime version 43.0.0 to before 43.0.1
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-34945 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34945
Vulnerability Analysis
This vulnerability stems from an incorrect integer type conversion (CWE-681) in the Winch compiler's handling of the table.size instruction when operating with 64-bit tables as part of WebAssembly's memory64 proposal. The flaw allows WebAssembly guest code to read unintended stack data from the host environment.
The vulnerability is exploitable over the network with low attack complexity, though it requires prior authentication and specific attack conditions to be met. The impact is limited to confidentiality breaches affecting both the vulnerable system and potentially connected components, with no integrity or availability impact.
Root Cause
The root cause is a type confusion error where the return value of table.size was statically typed as a 32-bit integer instead of dynamically consulting the table's index type to determine the appropriate register size. For 64-bit tables, this mismatch causes incorrect register handling, leaving residual stack data accessible.
Attack Vector
The attack exploits the interaction between the incorrectly typed table.size return value and specific details of Winch's ABI, particularly multi-value returns. When a WebAssembly guest executes table.size on a 64-bit table, the compiler's assumption of a 32-bit return value results in only partial register initialization. The upper bits of the 64-bit register may contain leftover data from prior host operations.
By combining this with multi-value return semantics, an attacker controlling WebAssembly guest code can craft operations that expose these uninitialized upper bits, effectively reading arbitrary stack data from the host. The disclosed data could include sensitive information such as memory addresses, cryptographic material, or other confidential host state.
Detection Methods for CVE-2026-34945
Indicators of Compromise
- Unusual WebAssembly module behavior involving frequent table.size calls on 64-bit tables
- WebAssembly guests accessing or exfiltrating unexpected data patterns that match host memory layouts
- Anomalous multi-value return operations in WebAssembly execution traces
Detection Strategies
- Monitor WebAssembly runtime logs for modules utilizing the memory64 proposal features with 64-bit tables
- Implement static analysis of WebAssembly modules to detect potentially malicious table.size usage patterns
- Review Wasmtime runtime configurations to identify deployments using vulnerable Winch compiler versions
Monitoring Recommendations
- Enable verbose logging for Wasmtime runtime operations to capture table manipulation events
- Implement network traffic analysis to detect potential data exfiltration from WebAssembly runtime environments
- Deploy application-level monitoring to track WebAssembly guest memory access patterns
How to Mitigate CVE-2026-34945
Immediate Actions Required
- Upgrade Wasmtime to version 36.0.7, 42.0.2, or 43.0.1 or later immediately
- Audit deployed WebAssembly modules for usage of 64-bit tables and the memory64 proposal features
- Consider temporarily disabling the Winch compiler in favor of alternative compilation backends if immediate patching is not possible
Patch Information
Bytecode Alliance has released patched versions addressing this vulnerability. Users should upgrade to one of the following fixed versions based on their current deployment:
- Version 36.0.7 for users on the 36.x release branch
- Version 42.0.2 for users on the 42.x release branch
- Version 43.0.1 for users on the 43.x release branch
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Disable the Winch compiler and use Cranelift or other compilation backends that are not affected by this vulnerability
- Restrict deployment of WebAssembly modules that utilize 64-bit tables or memory64 features until patching is complete
- Implement network segmentation to limit potential data exfiltration from compromised WebAssembly runtime environments
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
