Skip to main content

Red Hat EUVDEUVD-2026-21031

| CVE-2026-34987 CRITICAL
Out-of-bounds Read (CWE-125)
2026-04-09 GitHub_M GHSA-xx5w-cvp6-jv83
9.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21031
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
CVE Published
Apr 09, 2026 - 18:48 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability requires use of the Winch compiler (-Ccompiler=winch). By default, Wasmtime uses its Cranelift backend, not Winch. With Winch, the same incorrect assumption is present in theory on both aarch64 and x86-64. The aarch64 case has an observed-working proof of concept, while the x86-64 case is theoretical and may not be reachable in practice. This Winch compiler bug can allow the Wasm guest to access memory before or after the linear-memory region, independently of whether pre- or post-guard regions are configured. The accessible range in the initial bug proof-of-concept is up to 32KiB before the start of memory, or ~4GiB after the start of memory, independently of the size of pre- or post-guard regions or the use of explicit or guard-region-based bounds checking. However, the underlying bug assumes a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not, and so closely related variants of the initial proof-of-concept may be able to access truly arbitrary memory in-process. This could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary RCE. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

AnalysisAI

Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.

Technical ContextAI

CWE-125 out-of-bounds read stems from Winch compiler's failure to clear upper 32 bits of 64-bit registers holding memory offsets, violating sandbox assumptions. Unlike default Cranelift backend, Winch incorrectly trusts zero-extension of 32-bit Wasm offsets, enabling offset manipulation to bypass guard-region protections on both architectures. Proof-of-concept demonstrates reliable aarch64 exploitation; x86-64 variant remains unconfirmed.

RemediationAI

Vendor-released patches: upgrade to Wasmtime 36.0.7, 42.0.2, or 43.0.1 immediately. Organizations unable to patch must disable Winch compiler by removing -Ccompiler=winch flag or switching to default Cranelift backend. Verify compiler configuration in deployment scripts and CI/CD pipelines. Monitor process memory access patterns for anomalous behavior. For containerized Wasmtime deployments, enforce strict memory limits and apply security policies restricting compiler backend selection. Advisory URL: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83. No workaround exists for environments requiring Winch; patching is mandatory to eliminate sandbox escape risk.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

EUVD-2026-21031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy