{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.661Z", "datePublished": "2026-04-09T18:43:39.137Z", "dateUpdated": "2026-04-09T19:33:33.709Z"}, "containers": {"cna": {"title": "Wasmtime's host panics when Winch compiler executes `table.fill`", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": ">= 25.0.0, < 36.0.7", "status": "affected"}, {"version": ">= 37.0.0, < 42.0.2", "status": "affected"}, {"version": ">= 43.0.0, < 44.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:43:39.137Z"}, "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."}], "source": {"advisory": "GHSA-q49f-xg75-m9xw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T19:33:22.517926Z", "id": "CVE-2026-34946", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:33:33.709Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.661Z", "datePublished": "2026-04-09T18:43:39.137Z", "dateUpdated": "2026-04-09T19:33:33.709Z"}, "containers": {"cna": {"title": "Wasmtime's host panics when Winch compiler executes `table.fill`", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": ">= 25.0.0, < 36.0.7", "status": "affected"}, {"version": ">= 37.0.0, < 42.0.2", "status": "affected"}, {"version": ">= 43.0.0, < 44.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:43:39.137Z"}, "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."}], "source": {"advisory": "GHSA-q49f-xg75-m9xw", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34946", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T19:33:22.517926Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:33:28.791Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1."}], "id": "CVE-2026-34946", "lastModified": "2026-04-09T19:16:24.490", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T19:16:24.490", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "wasmtime: Wasmtime: Denial of Service via WebAssembly compilation error", "id": "2456998", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456998"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1285", "details": ["A flaw was found in Wasmtime, a runtime for WebAssembly (Wasm) code. A malicious Wasm program, when processed by Wasmtime's Winch compiler, can cause the underlying system to crash. This is due to an error in how the compiler handles certain instructions, leading to a Denial of Service (DoS) vulnerability where the system becomes unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34946", "package_state": [{"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhcl-1-3-wasm-shim", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "virt-firmware-rs", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-04-09T18:43:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34946\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34946\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.0.0,36.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[37.0.0,42.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[43.0.0,44.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wasmtime", "source": "cna", "vendor": "bytecodealliance"}, "product": "wasmtime", "vendor": "bytecodealliance"}], "analysis": {"en": {"generated_at": "2026-04-10T01:22:13.632222+00:00", "value": {"mitigation_remediation": ["Upgrade Wasmtime to version 36.0.7 or newer, or to the fixed 42.0.2 or 43.0.1 releases that contain the patch for this issue.", "If an upgrade cannot be performed immediately, block or disable WebAssembly execution that relies on the Winch compiler until the fix is applied.", "Verify the current Wasmtime version on all systems to confirm it includes the security update.", "Keep monitoring the vendor\u2019s advisories for any additional patches or guidance related to this vulnerability."], "summary": {"action": "Patch", "impact": "Denial of Service (host panic)"}, "threat_synthesis": {"affected_systems": "All Wasmtime releases from 25.0.0 up to, but excluding, 36.0.7, as well as earlier versions of 42.0.2 and 43.0.1 before the patch, are vulnerable. The vulnerability affects the bytecodealliance wasmtime product across all supported architectures.", "description_and_impact": "The Winch compiler in Wasmtime incorrectly processes the WASM table.fill instruction after a refactoring change, causing it to use an invalid table indexing scheme. When executed, the compiled code can reference a non\u2011existent or wrong table, leading the host process to panic. This crash results in a denial\u2011of\u2011service condition that halts the Wasmtime runtime.", "risk_and_exploitability": "The CVSS score of 5.9 categorizes the issue as moderate in severity, and the EPSS score is not publicly available. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating no confirmed mass exploitation yet. Nonetheless, the attack vector is straightforward: any WebAssembly module compiled with Winch that contains a table.fill instruction can trigger a host panic. An attacker only needs to supply such a module, making the exploitation conditions minimal and the risk to services accepting untrusted WebAssembly payloads significant."}}}}, "created": "2026-04-10T08:39:15.117859+00:00", "updated": "2026-04-10T09:31:38.451647+00:00", "vendors": ["bytecodealliance", "bytecodealliance$PRODUCT$wasmtime"]}