CVE-2026-34946
Published: 09 April 2026
Summary
CVE-2026-34946 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Bytecodealliance Wasmtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, such as patching Wasmtime to fixed versions 36.0.7, 42.0.2, or 43.0.1 to eliminate the Winch compiler panic vulnerability.
Mandates handling of errors from incorrect table indexing in table.fill compilation without causing host panics, directly addressing the vulnerability's crash mechanism.
Implements denial-of-service protections to mitigate availability impacts from remote attackers triggering host panics via valid WebAssembly modules.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to provide a crafted WebAssembly module to a Wasmtime instance, triggering a host panic for DoS; this directly enables exploitation of public-facing applications (T1190) and endpoint DoS via application/system exploitation (T1499.004).
NVD Description
Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can result in a host panic. This means that a valid guest can…
more
be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerability in Wasmtime due to guests being able to trigger a panic. The specific issue is that a historical refactoring changed how compiled code referenced tables within the table.* instructions. This refactoring forgot to update the Winch code paths associated as well, meaning that Winch was using the wrong indexing scheme. Due to the feature support of Winch the only problem that can result is tables being mixed up or nonexistent tables being used, meaning that the guest is limited to panicking the host (using a nonexistent table), or executing spec-incorrect behavior and modifying the wrong table. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.
Deeper analysisAI
CVE-2026-34946 is a vulnerability in Wasmtime, a runtime for WebAssembly, affecting versions from 25.0.0 up to but not including 36.0.7, 42.0.2, and 43.0.1. The issue lies in the Winch compiler, where compilation of the table.fill instruction can trigger a host panic due to a historical refactoring that incorrectly updated table indexing in Winch code paths. This leads to mixing up tables or referencing nonexistent ones, classified under CWE-670 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited by any unauthenticated remote attacker who provides a valid WebAssembly guest module to a Wasmtime instance using the Winch compiler on any architecture. Successful exploitation causes the host process to panic, resulting in a denial-of-service condition without impacting confidentiality or integrity.
According to the Wasmtime security advisory, the issue is mitigated by upgrading to fixed versions 36.0.7, 42.0.2, or 43.0.1. Additional details are available at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw.
Details
- CWE(s)