CVE-2026-35186

High

Published: 09 April 2026

Published

09 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 14.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35186 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Bytecodealliance Wasmtime. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the table.grow typing bug in Wasmtime's Winch backend via upgrades to versions 36.0.7, 42.0.2, or 43.0.1 to eliminate the vulnerability.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings such as default use of Cranelift compiler and guard pages before linear memory to prevent enabling the vulnerable Winch backend.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like guard pages to block unauthorized access to host memory preceding linear memory exploited by the Winch typing error.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote exploitation of Wasmtime runtime (public-facing apps) to trigger table.grow and cause process crash/DoS; maps to T1190 for initial remote access via vuln and T1499.004 for application exploitation leading to availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler backend contains a bug where translating the table.grow operator causes the result to be incorrectly typed. For 32-bit tables this means that the…

result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit value. This invalid internal representation of Winch's compiler state compounds into further issues depending on how the value is consumed. The primary consequence of this bug is that bytes in the host's address space can be stored/read from. This is only applicable to the 16 bytes before linear memory, however, as the only significant return value of table.grow that can be misinterpreted is -1. The bytes before linear memory are, by default, unmapped memory. Wasmtime will detect this fault and abort the process, however, because wasm should not be able to access these bytes. Overall this this bug in Winch represents a DoS vector by crashing the host process, a correctness issue within Winch, and a possible leak of up to 16-bytes before linear memory. Wasmtime's default compiler is Cranelift, not Winch, and Wasmtime's default settings are to place guard pages before linear memory. This means that Wasmtime's default configuration is not affected by this issue, and when explicitly choosing Winch Wasmtime's otherwise default configuration leads to a DoS. Disabling guard pages before linear memory is required to possibly leak up to 16-bytes of host data. This vulnerability is fixed in 36.0.7, 42.0.2, and 43.0.1.

Deeper analysisAI

CVE-2026-35186 is a vulnerability in Wasmtime, a runtime for WebAssembly, specifically affecting its Winch compiler backend in versions from 25.0.0 up to but not including 36.0.7, 42.0.2, and 43.0.1. The issue arises during translation of the table.grow operator for 32-bit tables, where the result is incorrectly typed as a 64-bit value instead of 32-bit within Winch's internal representation. This leads to invalid compiler state that enables storage or reading of bytes in the host's address space, limited to the 16 bytes immediately before linear memory. Wasmtime's default compiler is Cranelift rather than Winch, and default configurations include guard pages before linear memory, mitigating the impact in standard setups.

Attackers can exploit this remotely with low complexity and no privileges or user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By triggering table.grow, adversaries can induce a denial-of-service condition by crashing the host process when Wasmtime detects and aborts on the invalid memory access to unmapped bytes before linear memory. In configurations where Winch is explicitly enabled and guard pages are disabled, exploitation could potentially leak up to 16 bytes of host data preceding linear memory, though the primary effect remains process termination.

The Wasmtime security advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 details the fix in releases 36.0.7, 42.0.2, and 43.0.1. Practitioners should upgrade to these patched versions, avoid enabling the Winch backend unless necessary, and retain default guard pages before linear memory to prevent exploitation. The vulnerability is mapped to CWE-789 (Uncontrolled Memory Allocation).