CVE-2026-34946 Overview
CVE-2026-34946 is a denial-of-service vulnerability in Wasmtime, a runtime for WebAssembly, affecting the Winch compiler's handling of the table.fill instruction. The vulnerability allows a valid guest compiled with Winch to cause the host to panic, resulting in service disruption. This issue stems from a historical refactoring that changed how compiled code referenced tables within table instructions, but failed to update the corresponding Winch code paths.
Critical Impact
Authenticated attackers can trigger a host panic through specially crafted WebAssembly modules compiled with the Winch compiler, causing denial of service.
Affected Products
- Wasmtime versions 25.0.0 to before 36.0.7
- Wasmtime versions 42.0.0 to before 42.0.2
- Wasmtime versions 43.0.0 to before 43.0.1
Discovery Timeline
- April 9, 2026 - CVE-2026-34946 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34946
Vulnerability Analysis
This vulnerability is classified under CWE-670 (Always-Incorrect Control Flow Implementation), indicating a fundamental logic flaw in how the Winch compiler processes table operations. The root issue is an inconsistency between the table indexing scheme used by the main Wasmtime codebase and the Winch compiler's implementation.
When compiling WebAssembly modules containing table.fill instructions, the Winch compiler uses an outdated indexing scheme that was not updated during a historical refactoring effort. This mismatch causes the compiler to either reference nonexistent tables (triggering a panic) or access incorrect tables (resulting in spec-incorrect behavior).
The vulnerability can be exploited remotely over a network, though it requires some level of authenticated access and user interaction. Due to the nature of Winch's feature support, the impact is primarily limited to availability concerns rather than confidentiality or integrity breaches.
Root Cause
The root cause is a refactoring oversight in the Winch compiler codebase. During a previous update that changed how compiled code references tables within table.* instructions, the Winch-specific code paths were not updated to reflect the new indexing scheme. This resulted in the Winch compiler continuing to use the legacy table indexing methodology while the rest of the codebase had moved to a new approach.
Attack Vector
The attack vector is network-based, requiring an attacker to submit a malicious WebAssembly module to a Wasmtime instance configured to use the Winch compiler. When the module containing a table.fill instruction is compiled, the incorrect table indexing can cause one of two outcomes:
- Host Panic: If the incorrect index references a nonexistent table, the host will panic and crash, causing denial of service
- Spec-Incorrect Behavior: If the incorrect index references a different valid table, the wrong table will be modified, potentially causing unexpected application behavior
The vulnerability affects Wasmtime deployments on any architecture when using the Winch compiler. Attackers need some level of authenticated access and must be able to submit WebAssembly modules for compilation.
Detection Methods for CVE-2026-34946
Indicators of Compromise
- Unexpected Wasmtime process crashes or panics during WebAssembly module compilation
- Error logs indicating table index out of bounds or invalid table references in Winch compiler operations
- Repeated service restarts correlating with WebAssembly module submission attempts
Detection Strategies
- Monitor Wasmtime processes for panic-related exit codes and crash dumps
- Implement logging around WebAssembly module compilation to capture table.fill instruction processing
- Review system logs for patterns indicating exploitation attempts targeting the Winch compiler
Monitoring Recommendations
- Configure alerting for Wasmtime service availability and unexpected restarts
- Monitor resource utilization and service health for applications using Wasmtime with Winch compiler
- Implement rate limiting on WebAssembly module submission endpoints to mitigate exploitation attempts
How to Mitigate CVE-2026-34946
Immediate Actions Required
- Upgrade Wasmtime to version 36.0.7, 42.0.2, or 43.0.1 depending on your current version branch
- Review and audit any WebAssembly modules that may contain table.fill instructions
- Consider temporarily switching to an alternative compiler backend if immediate patching is not feasible
Patch Information
The vulnerability is fixed in Wasmtime versions 36.0.7, 42.0.2, and 43.0.1. Organizations should update to the appropriate patched version based on their current deployment:
- Users on versions 25.0.0 through 36.0.x should upgrade to 36.0.7
- Users on version 42.0.x should upgrade to 42.0.2
- Users on version 43.0.x should upgrade to 43.0.1
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Disable the Winch compiler and use an alternative Wasmtime compiler backend until patching is complete
- Implement input validation to reject or quarantine WebAssembly modules containing table.fill instructions
- Deploy Wasmtime instances in isolated environments with proper process supervision to automatically restart crashed instances
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
