Main Vulnerability Database Vulnerabilities #VU125759

Type Confusion in Wasmtime - CVE-2026-35186

Published: April 10, 2026

Vulnerability identifier: #VU125759

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35186

CWE-ID: CWE-843

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Bytecode Alliance

Affected software:
Wasmtime

Detailed vulnerability description

The vulnerability allows a remote user to cause a denial of service and disclose sensitive information.

The vulnerability exists due to improper type handling in the Winch compiler backend when translating the table.grow operator. A remote user can cause a WebAssembly module to use the result of table.grow in memory operations to cause a denial of service and disclose sensitive information.

By default, the issue results in a process abort because the affected access reaches unmapped memory before linear memory. Information disclosure of up to 16 bytes is possible only when guard pages before linear memory are disabled.

How to mitigate CVE-2026-35186

Install security update from vendor's website.

Sources

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7

Type Confusion in Wasmtime - CVE-2026-35186

Detailed vulnerability description

How to mitigate CVE-2026-35186

Sources

Please verify you're human