Skip to main content

Wasmtime EUVDEUVD-2026-21025

| CVE-2026-34946 MEDIUM
Always-Incorrect Control Flow Implementation (CWE-670)
2026-04-09 GitHub_M GHSA-q49f-xg75-m9xw
5.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21025
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
CVE Published
Apr 09, 2026 - 18:43 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

AnalysisAI

Wasmtime's Winch compiler (versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0) contains a table indexing vulnerability in the table.fill instruction that causes host panic when compiled by Winch on any architecture. A valid WebAssembly guest can trigger this denial-of-service condition due to incorrect table reference indexing left behind after a historical refactoring. EPSS score of 5.9 reflects medium exploitability, and the vulnerability is patched in Wasmtime 36.0.7, 42.0.2, and 43.0.1.

Technical ContextAI

Wasmtime is a standalone WebAssembly runtime used in both standalone and embedded contexts. The Winch compiler is an optional, faster compilation backend for WebAssembly modules. The vulnerability stems from a refactoring that updated how compiled code references tables in table.* instructions (including table.fill), but failed to apply the same indexing scheme changes to the Winch code paths. This resulted in Winch using an incorrect indexing method when resolving table references. The root cause is classified as CWE-670 (Improper Error Handling), where the compiler fails to properly validate or apply the correct table indexing logic. When Winch attempts to access a table using the old indexing scheme, it either references a non-existent table (causing a panic) or accesses the wrong table (violating WebAssembly semantics). The CPE affected product is bytecodealliance:wasmtime across affected versions.

RemediationAI

Upgrade Wasmtime to version 36.0.7, 42.0.2, or 43.0.1 or later, depending on your current branch. These patched versions correct the table indexing logic in the Winch compiler to match the indexing scheme used by the host runtime. If immediate upgrading is not feasible, disable Winch compilation by configuring Wasmtime to use the Cranelift compiler exclusively (the default in most deployments); Cranelift is not affected by this vulnerability. Review your Wasmtime configuration to verify which compiler backend is in use and prioritize patching systems where Winch is explicitly enabled. Consult the official advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw for detailed upgrade instructions.

CVE-2023-26489 CRITICAL
9.9 Mar 08

wasmtime is a fast and secure runtime for WebAssembly. Rated critical severity (CVSS 9.9), this vulnerability is remotel

CVE-2022-39394 CRITICAL
9.8 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2022-24791 CRITICAL
9.8 Mar 31

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. Rated critical severity (CVSS 9.8), this vu

CVE-2024-30266 MEDIUM POC
5.5 Apr 04

wasmtime is a runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Pu

CVE-2026-34971 CRITICAL
9.0 Apr 09

Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, a

CVE-2023-30624 HIGH
8.8 Apr 27

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-31146 HIGH
8.8 Jul 21

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-39393 HIGH
8.6 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.6), this vulnerability is remotely exploit

CVE-2026-27572 HIGH
7.5 Feb 24

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowin

CVE-2026-27195 HIGH
7.5 Feb 24

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are c

CVE-2022-31169 HIGH
7.5 Jul 22

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2022-39392 HIGH
7.4 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.4), this vulnerability is remotely exploit

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

EUVD-2026-21025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy