Wasmtime Security Fixes

A WebAssembly runtime is the part that takes compact WebAssembly code and runs it on your machine, the way a video player turns a file into moving frames. Wasmtime is one of the best-known runtimes, and its whole job is to keep untrusted code inside a memory sandbox while still running fast enough for real apps. (github.com) That sandbox is mostly a big fenced-off memory region called linear memory. Wasmtime’s security model says guest code should only touch that region, and every memory access is supposed to stay inside the fence. (github.com) On April 9, 2026, the Wasmtime maintainers shipped emergency patch releases 43.0.1, 42.0.2, 36.0.7, and 24.0.7. Those builds fix 12 security advisories at once, including 2 rated Critical, which is the project’s largest single batch of advisories so far. (bytecodealliance.org) One of the headline bugs sits in Winch, Wasmtime’s baseline compiler, which is a faster-to-start code generator you can choose instead of the default Cranelift compiler. In affected versions, a bug on 64-bit Arm systems could let specially crafted guest WebAssembly read or write memory outside its sandbox. (github.com) The bug came from a bad assumption about how a 32-bit memory offset sits inside a 64-bit register. If the upper bits were not cleared the way Winch expected, the runtime could calculate the wrong address and wander before or far past the guest’s allowed memory. (github.com) GitHub scored that Winch flaw, tracked as CVE-2026-34987, at 9.2 out of 10. The advisory says the proof of concept on 64-bit Arm could reach up to 32 kibibytes before the start of memory or about 4 gibibytes after it, which opens the door to crashes, data leaks, and potentially remote code execution. (github.com) A second Winch bug, CVE-2026-35186, is less dramatic to read but dangerous in the way a bad ruler is dangerous to a carpenter. When Winch translated the `table.grow` instruction for 32-bit tables, it tagged the result as a 64-bit value instead of a 32-bit one, which corrupted the compiler’s own internal picture of the program. (tenable.com) Another fix, CVE-2026-34983, hits Wasmtime’s Linker type, which is the object that wires guest code to host functions. In version 43.0.0, cloning a `wasmtime::Linker`, dropping the original, and then using the clone could trigger a use-after-free bug and crash the host process with a segmentation fault. (github.com) That Linker bug is narrower than the Winch sandbox escape because guest WebAssembly cannot trigger it on its own. The advisory says it only affects host applications using the embedding application programming interface, and only if they actually call the `Clone` implementation on `wasmtime::Linker`; the command-line interface is not affected. (github.com) The April fixes also include a string-conversion bug, CVE-2026-34941, in Wasmtime’s component model, which is the layer for passing richer values like strings between components. Wasmtime checked the number of UTF-16 code units instead of the byte length, so it could read past the end of guest memory during transcoding and crash, or in nonstandard setups without guard pages, leak host memory. (github.com) The practical takeaway is simple: if your app embeds Wasmtime, update to 43.0.1, 42.0.2, 36.0.7, or 24.0.7, depending on your release line. If you explicitly enabled the Winch compiler, the urgency is higher, and the project says the temporary fallback is to use the default Cranelift backend until you can patch. (bytecodealliance.org)