GHSA-m9w2-8782-2946

Source

https://github.com/advisories/GHSA-m9w2-8782-2946

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m9w2-8782-2946/GHSA-m9w2-8782-2946.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m9w2-8782-2946

Aliases

CVE-2026-34945
RUSTSEC-2026-0086

Published

2026-04-09T20:23:02Z

Modified

2026-04-10T14:50:00.593848Z

Severity

2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator

Summary

Wasmtime has host data leakage with 64-bit tables and Winch

Details

Impact

Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests.

This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This information disclosure should not be possible in WebAssembly, violates spec semantics, and is a vulnerability in Wasmtime.

Patches

Wasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.

Workarounds

Users of Cranelift are not affected by this issue, but users of Winch have no workarounds other than disabling the Config::wasm_memory64 proposal.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-04-09T19:16:24Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-681"
    ],
    "github_reviewed_at": "2026-04-09T20:23:02Z",
    "severity": "LOW"
}

References

Affected packages

crates.io / wasmtime

Package

Name: wasmtime; View open source insights on deps.dev
Purl: pkg:cargo/wasmtime

Affected ranges

Type: SEMVER
Events: Introduced

25.0.0

Fixed

36.0.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m9w2-8782-2946/GHSA-m9w2-8782-2946.json"

crates.io / wasmtime

Package

Name: wasmtime; View open source insights on deps.dev
Purl: pkg:cargo/wasmtime

Affected ranges

Type: SEMVER
Events: Introduced

37.0.0

Fixed

42.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m9w2-8782-2946/GHSA-m9w2-8782-2946.json"

crates.io / wasmtime

Package

Name: wasmtime; View open source insights on deps.dev
Purl: pkg:cargo/wasmtime

Affected ranges

Type: SEMVER
Events: Introduced

43.0.0

Fixed

43.0.1

Affected versions

43.*

43.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m9w2-8782-2946/GHSA-m9w2-8782-2946.json"