Main Vulnerability Database Vulnerabilities #VU125759

#VU125759 Type Confusion in Wasmtime - CVE-2026-35186

Published: April 10, 2026

Vulnerability identifier: #VU125759

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35186

CWE-ID: CWE-843

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Wasmtime

Software vendor:
Bytecode Alliance

Description

The vulnerability allows a remote user to cause a denial of service and disclose sensitive information.

The vulnerability exists due to improper type handling in the Winch compiler backend when translating the table.grow operator. A remote user can cause a WebAssembly module to use the result of table.grow in memory operations to cause a denial of service and disclose sensitive information.

By default, the issue results in a process abort because the affected access reaches unmapped memory before linear memory. Information disclosure of up to 16 bytes is possible only when guard pages before linear memory are disabled.

Remediation

Install security update from vendor's website.

External links

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7

#VU125759 Type Confusion in Wasmtime - CVE-2026-35186

Description

Remediation

External links

Please verify you're human