CVE-2026-34988— Wasmtime leaks data between pooling allocator instances
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-34988
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wasmtime leaks data between pooling allocator instances
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the virtual memory permissions for linear memory used the wrong predicate to determine if resetting was necessary, where the compilation process used a different predicate. This divergence meant that the pooling allocator incorrectly deduced at runtime that resetting virtual memory permissions was not necessary while compile-time determine that virtual memory could be relied upon. The pooling allocator must be in use, Config::memory_guard_size configuration option must be 0, Config::memory_reservation configuration must be less than 4GiB, and pooling allocator must be configured with max_memory_size the same as the memory_reservation value in order to exploit this vulnerability. If all of these conditions are applicable then when a linear memory is reused the VM permissions of the previous iteration are not reset. This means that the compiled code, which is assuming out-of-bounds loads will segfault, will not actually segfault and can read the previous contents of linear memory if it was previously mapped. This represents a data leakage vulnerability between guest WebAssembly instances which breaks WebAssembly's semantics and additionally breaks the sandbox that Wasmtime provides. Wasmtime is not vulnerable to this issue with its default settings, nor with the default settings of the pooling allocator, but embeddings are still allowed to configure these values to cause this vulnerability. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
内存缓冲区边界内操作的限制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
wasmtime 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
wasmtime是Bytecode Alliance开源的一个轻量级WebAssembly运行时。 Wasmtime 36.0.7之前版本、42.0.2之前版本和43.0.1之前版本存在缓冲区错误漏洞,该漏洞源于池化分配器在重置虚拟内存权限时使用了错误的谓词,可能导致访客WebAssembly实例之间的数据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| bytecodealliance | wasmtime | >= 28.0.0, < 36.0.7 | - |
II. Public POCs for CVE-2026-34988
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-34988
请登录查看更多情报信息。
Same Patch Batch · bytecodealliance · 2026-04-09 · 12 CVEs total
| CVE-2026-35195 | Wasmtime has an out-of-bounds write or crash when transcoding component model strings | |
| CVE-2026-35186 | Wasmtime has an improperly masked return value from `table.grow` with Winch compiler backe | |
| CVE-2026-34983 | Wasmtime has a use-after-free bug after cloning `wasmtime::Linker` | |
| CVE-2026-34941 | Wasmtime has a Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding | |
| CVE-2026-34942 | Wasmtime panics when transcoding misaligned utf-16 strings | |
| CVE-2026-34971 | Wasmtime miscompiled guest heap access enables sandbox escape on aarch64 Cranelift | |
| CVE-2026-34946 | Wasmtime's host panics when Winch compiler executes `table.fill` | |
| CVE-2026-34944 | Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64 | |
| CVE-2026-34945 | Wasmtime leaks host data with 64-bit tables and Winch | |
| CVE-2026-34987 | Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access | |
| CVE-2026-34943 | Wasmtime panics when lifting `flags` component value |
IV. Related Vulnerabilities
Same product: wasmtime
- CVE-2026-35195
Wasmtime has an out-of-bounds write or crash when transcodin - CVE-2026-35186
Wasmtime has an improperly masked return value from `table.g - CVE-2026-34987
Wasmtime with Winch compiler backend on aarch64 may allow a - CVE-2026-34983
Wasmtime has a use-after-free bug after cloning `wasmtime::L - CVE-2026-34971
Wasmtime miscompiled guest heap access enables sandbox escap
Same vendor: bytecodealliance
- CVE-2026-35195
Wasmtime has an out-of-bounds write or crash when transcodin - CVE-2026-35186
Wasmtime has an improperly masked return value from `table.g - CVE-2026-34987
Wasmtime with Winch compiler backend on aarch64 may allow a - CVE-2026-34983
Wasmtime has a use-after-free bug after cloning `wasmtime::L - CVE-2026-34971
Wasmtime miscompiled guest heap access enables sandbox escap
Same weakness: CWE-119
- CVE-2026-22167
GPU DDK - Cache resident PM buffers writable by other GPU re - CVE-2026-27890
Firebird has Pre-Auth DOS when Processing Out of Order CNCT_ - CVE-2026-34864
Huawei HarmonyOS 安全漏洞 - CVE-2026-4149
Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code - CVE-2026-39892
cryptography has a buffer overflow if non-contiguous buffers
V. Comments for CVE-2026-34988
No comments yet