Buffer overflow in Bytecodealliance Wasmtime

CVE-2026-34988

Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (1.5th percentile) — read the EPSS interpretation.

Affected products

Bytecodealliance Wasmtime — versions >= 28.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 44.0.1

Weakness classification (CWE)

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p (x_refsource_CONFIRM)