Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AnalysisAI
Wasmtime's Winch compiler in versions 25.0.0 through 36.0.6, 42.0.1, and 43.0.0 incorrectly translates the WebAssembly table.size instruction for 64-bit tables under the memory64 proposal, allowing WebAssembly guests to read sensitive data from the host's stack. The vulnerability stems from static typing the return value as 32-bit instead of consulting the table's actual index type, which when combined with Winch's multi-value return ABI mechanics enables stack data disclosure. This is fixed in Wasmtime 36.0.7, 42.0.2, and 43.0.1; no public exploit code or active exploitation has been identified at time of analysis, but the low CVSS score (2.3) reflects limited real-world impact due to authentication requirements and limited technical scope.
Technical ContextAI
Wasmtime is a runtime for executing WebAssembly (WASM) modules, maintained by the Bytecode Alliance. The vulnerability affects the Winch compiler backend, which translates WebAssembly instructions to native machine code. The bug occurs in the handling of the table.size instruction when operating on 64-bit tables, a feature introduced in WebAssembly's memory64 proposal. The root cause (CWE-681: Incorrect Conversion between Numeric Types) involves a type mismatch where the return value of table.size was hard-coded as a 32-bit integer register rather than dynamically determined based on the table's declared index type. In Winch's ABI calling convention for multi-value returns, this causes the upper 32 bits of the return register to retain stale host stack data, which is then visible to the WASM guest. The affected CPE string cpe:2.3:a:bytecodealliance:wasmtime encompasses all Wasmtime installations, but only those running untrusted WASM code on versions with the Winch compiler backend are exposed.
RemediationAI
Upgrade Wasmtime to version 36.0.7 or later (if using the 36.x branch), version 42.0.2 or later (if using the 42.x branch), or version 43.0.1 or later (if using the 43.x branch). Vendor-released patches addressing the table.size instruction translation bug are available in these versions. Users unable to upgrade immediately should disable the Winch compiler backend or restrict execution of untrusted WebAssembly modules to air-gapped or strongly isolated environments; however, these workarounds do not eliminate the root cause. For detailed guidance, refer to the Bytecode Alliance security advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946.
wasmtime is a fast and secure runtime for WebAssembly. Rated critical severity (CVSS 9.9), this vulnerability is remotel
Wasmtime is a standalone runtime for WebAssembly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. Rated critical severity (CVSS 9.8), this vu
wasmtime is a runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Pu
Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, a
Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.6), this vulnerability is remotely exploit
Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowin
Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are c
Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit
Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.4), this vulnerability is remotely exploit
Same weakness CWE-681 – Incorrect Conversion between Numeric Types
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21024
GHSA-m9w2-8782-2946