2457004 – (CVE-2026-34945) CVE-2026-34945 wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation

Bug 2457004 (CVE-2026-34945) - CVE-2026-34945 wasmtime: winch: Wasmtime Winch compiler: Information disclosure via incorrect table.size instruction translation

Summary: CVE-2026-34945 wasmtime: winch: Wasmtime Winch compiler: Information disclosu...

Keywords:
Status:	NEW
Alias:	CVE-2026-34945
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2457173
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-09 19:02 UTC by OSIDB Bzimport
Modified:	2026-04-09 22:54 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-09 19:02:32 UTC

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, incorrectly translated the table.size instruction. This bug could lead to disclosing data on the host's stack to WebAssembly guests. The host's stack can possibly contain sensitive data related to other host-originating operations which is not intended to be disclosed to guests. This bug specifically arose from a mistake where the return value of table.size was statically typed as a 32-bit integer, as opposed to consulting the table's index type to see how large the returned register could be. When combined with details about Wnich's ABI, such as multi-value returns, this can be combined to read stack data from the host, within a guest. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

Note You need to log in before you can comment on or make changes to this bug.