{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/aarch64/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-34987"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wasmtime","sandbox-escape","memory-corruption","aarch64"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWasmtime, a WebAssembly runtime, is vulnerable to a sandbox escape issue when using the Winch compiler backend on aarch64 architecture. This vulnerability, affecting versions 25.0.0 through 36.0.7, 37.0.0 through 42.0.2, and 43.0.0, stems from improper handling of memory offsets within the Winch compiler. The Winch compiler is not the default, requiring the \u003ccode\u003e-Ccompiler=winch\u003c/code\u003e flag to activate it. A malicious or compromised Wasm guest could exploit this flaw to access host memory outside of its designated linear memory region. Successful exploitation could lead to denial of service, sensitive data leaks from the host process, or, with write access, potentially arbitrary remote code execution on the host system. Defenders should prioritize patching or switching to the Cranelift compiler backend to mitigate this critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious WebAssembly module specifically designed to exploit the memory offset vulnerability in the Winch compiler.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the malicious Wasm module to a system running a vulnerable version of Wasmtime using the Winch compiler backend (\u003ccode\u003e-Ccompiler=winch\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable Wasmtime instance loads and compiles the malicious Wasm module using the Winch compiler.\u003c/li\u003e\n\u003cli\u003eDue to the flawed memory offset calculation within Winch, the Wasm module is able to access memory addresses outside of its allocated linear memory region.\u003c/li\u003e\n\u003cli\u003eThe Wasm module reads sensitive data from the host process\u0026rsquo;s memory space, such as configuration files, API keys, or other confidential information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the Wasm module attempts to write arbitrary data to the host process\u0026rsquo;s memory space, potentially overwriting critical system data or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eSuccessful memory corruption leads to a denial-of-service condition, a data leak, or potentially arbitrary code execution within the context of the host process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised host process to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a malicious Wasm guest to escape its sandbox and access the host system\u0026rsquo;s memory. This can result in a denial of service, where the host process crashes due to memory corruption. More critically, it can lead to the exfiltration of sensitive data from the host process, potentially exposing confidential information. In the worst-case scenario, the attacker could achieve arbitrary code execution on the host system, leading to a complete system compromise. The number of potential victims is dependent on the adoption rate of Wasmtime with the Winch compiler enabled in production environments, but given the severity of the potential impact, any vulnerable instance represents a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Wasmtime version 43.0.1, 42.0.2, or 36.0.7 to patch CVE-2026-34987.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, switch to the Cranelift compiler backend by removing the \u003ccode\u003e-Ccompiler=winch\u003c/code\u003e flag from the Wasmtime execution command.\u003c/li\u003e\n\u003cli\u003eMonitor Wasmtime deployments for unexpected crashes or memory access violations that may indicate exploitation attempts. While no specific IOCs are provided, unusual process behavior from Wasmtime should be investigated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-wasmtime-sandbox-escape/","summary":"A sandbox escape vulnerability exists in Wasmtime versions 25.0.0 to 36.0.7, 37.0.0 to 42.0.2, and version 43.0.0 when using the Winch compiler backend on aarch64 architecture, potentially allowing a Wasm guest to access host memory outside its sandbox, leading to denial of service, data leaks, or remote code execution.","title":"Wasmtime Winch Compiler Aarch64 Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wasmtime-sandbox-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Aarch64","version":"https://jsonfeed.org/version/1.1"}