Vulnerability in Bytecodealliance Wasmtime

CVE-2026-35186

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit table…

EPSS: 0.001 (17.1th percentile) — read the EPSS interpretation.

Affected products

Bytecodealliance Wasmtime — versions >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2, >= 43.0.0, < 44.0.1

Weakness classification (CWE)

CWE-789

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 (x_refsource_CONFIRM)