Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-34987 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-34987 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-34987 is a critical sandbox escape vulnerability in Bytecodealliance's Wasmtime WebAssembly runtime, specifically affecting the non-default Winch (baseline) compiler backend, which may allow a maliciously crafted guest WebAssembly module to break out of its intended isolation boundary.

Technical Detail

The flaw exists in Wasmtime versions 25.0.0 through the patched releases 36.0.7, 42.0.2, and 43.0.1, and is triggered when the Winch compiler backend processes specially constructed guest Wasm code. The Winch backend, designed as a fast baseline compiler for development and testing scenarios, appears to fail to enforce memory or execution isolation guarantees that the default Cranelift backend maintains, allowing a guest module to access or influence host memory or execution context outside its sandbox. If exploited, this could result in host-level code execution or unauthorized memory access from within a supposedly isolated WebAssembly guest, with a CVSS score of 9.9 reflecting near-maximum severity.

Exploitation Status

No known exploit exists for this vulnerability at this time, and it has not been added to the CISA Known Exploited Vulnerabilities catalog. Exploit maturity is currently assessed as none, meaning no public proof-of-concept or weaponized code has been confirmed. However, the high CVSS score and the nature of the flaw make it a candidate for future exploitation research, particularly in environments where Wasmtime is used to execute untrusted Wasm workloads.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns, targeted sectors, or adversary groups have been associated with this vulnerability as of April 16, 2026.

What To Do

Organizations using Wasmtime should upgrade immediately to version 36.0.7, 42.0.2, or 43.0.1 depending on their current release branch. The Winch backend is non-default, so operators who have not explicitly enabled it are not exposed to this specific attack vector; confirming that Winch is disabled in production configurations serves as an effective interim workaround for those unable to patch immediately. Operators running untrusted Wasm workloads in multi-tenant or edge compute environments should treat this as a high-priority patch given the sandbox escape potential. Review deployment configurations to confirm which compiler backend is active, and monitor Bytecodealliance security advisories for any updates to exploitation status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →