EXECUTIVE SUMMARY:
CVE-2026-34987 with a CVSS score of 9.8 is a sandbox-escaping memory access vulnerability in Wasmtime with its Winch compiler backend on aarch64, allowing properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability affects Wasmtime versions greater than or equal to 25.0.0 and less than 36.0.7, as well as versions 37.0.0 to 42.0.2, and specifically version 43.0.0. The vulnerability is present when using the Winch compiler (-Ccompiler=winch), as this backend incorrectly assumes that a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not. An attacker can exploit this vulnerability using the Winch compiler with the aarch64 architecture, requiring only that the Winch compiler is used and no privileged access is required. By exploiting this vulnerability, an attacker gains the ability to access arbitrary host memory, which could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary remote code execution (RCE). The business impact of this vulnerability is significant, as it allows an attacker to gain unauthorized access to sensitive host memory, potentially leading to data breaches, system compromise, or other malicious activities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-34987 with a CVSS score of 9.8 is a sandbox-escaping memory access vulnerability in Wasmtime with its Winch compiler backend on aarch64, allowing properly constructed guest Wasm to access host memory outside of its linear-memory sandbox. This vulnerability affects Wasmtime versions greater than or equal to 25.0.0 and less than 36.0.7, as well as versions 37.0.0 to 42.0.2, and specifically version 43.0.0. The vulnerability is present when using the Winch compiler (-Ccompiler=winch), as this backend incorrectly assumes that a 32-bit memory offset stored in a 64-bit register has its upper bits cleared when it may not. An attacker can exploit this vulnerability using the Winch compiler with the aarch64 architecture, requiring only that the Winch compiler is used and no privileged access is required. By exploiting this vulnerability, an attacker gains the ability to access arbitrary host memory, which could result in a host process segmentation fault (DoS), an arbitrary data leak from the host process, or with a write, potentially an arbitrary remote code execution (RCE). The business impact of this vulnerability is significant, as it allows an attacker to gain unauthorized access to sensitive host memory, potentially leading to data breaches, system compromise, or other malicious activities.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update wasmtime to version 43.0.1, 42.0.2, or 36.0.7.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xx5w-cvp6-jv83