Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit value. This invalid internal representation of Winch's compiler state compounds into further issues depending on how the value is consumed. The primary consequence of this bug is that bytes in the host's address space can be stored/read from. This is only applicable to the 16 bytes before linear memory, however, as the only significant return value of table.grow that can be misinterpreted is -1. The bytes before linear memory are, by default, unmapped memory. Wasmtime will detect this fault and abort the process, however, because wasm should not be able to access these bytes. Overall this this bug in Winch represents a DoS vector by crashing the host process, a correctness issue within Winch, and a possible leak of up to 16-bytes before linear memory. Wasmtime's default compiler is Cranelift, not Winch, and Wasmtime's default settings are to place guard pages before linear memory. This means that Wasmtime's default configuration is not affected by this issue, and when explicitly choosing Winch Wasmtime's otherwise default configuration leads to a DoS. Disabling guard pages before linear memory is required to possibly leak up to 16-bytes of host data. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
AnalysisAI
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
Technical ContextAI
Wasmtime is a WebAssembly runtime that supports multiple compiler backends: the default Cranelift compiler and the optional Winch compiler. The Winch backend is responsible for translating WebAssembly instructions to host machine code. The table.grow operator in WebAssembly grows a table instance and returns the previous table size. The vulnerability stems from a type-mismatch bug in Winch's translation of table.grow for 32-bit tables, where the internal compiler representation marks the return value as 64-bit instead of 32-bit. This causes downstream operations that consume this value to misinterpret a -1 return (indicating table growth failure) as a large unsigned 64-bit value, permitting out-of-bounds memory access to the 16 bytes immediately preceding the linear memory region. The root cause is a type classification error (CWE-789: Memory Allocation with Excessive Size Value) that violates Winch's internal type invariants. Exploitation requires either disabling guard pages (memory protection regions placed before linear memory by default) or using a custom memory layout that does not provide this protection. The vulnerability affects Wasmtime versions 25.0.0-36.0.6, 42.0.0-42.0.1, and 43.0.0 across all platforms where Winch is compiled, as indicated by the CPE cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade Wasmtime to version 36.0.7, 42.0.2, 43.0.1, or any subsequent release that includes the fix. For organizations unable to upgrade immediately, disable the Winch compiler backend and use the default Cranelift backend, or ensure that memory guard pages are enabled (the default configuration) to mitigate information disclosure risk. Disabling Winch is the most conservative interim mitigation because it eliminates the vulnerability entirely for default deployments. Organizations using custom memory layouts with guard pages disabled should prioritize upgrading to a patched version and should not use Winch until the upgrade is complete. Detailed remediation guidance and technical advisory information is provided in the GitHub Security Advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21037
GHSA-f984-pcp8-v2p7