Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37): Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton opened PR #13004 from alexcrichton:ghsa-backports-42 to bytecodealliance:release-42.0.0:
Fixes for these issues:
Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift.
GHSA-jhxm-h53p-jm7wWasmtime with Winch compiler backend may allow a sandbox-escaping memory
access.
GHSA-xx5w-cvp6-jv83Out-of-bounds write or crash when transcoding component model strings.
GHSA-394w-hwhg-8vgmHost panic when Winch compiler executes
table.fill.
GHSA-q49f-xg75-m9xwWasmtime segfault or unused out-of-sandbox load with
f64x2.splatoperator
on x86-64.
GHSA-qqfj-4vcm-26hvImproperly masked return value from
table.growwith Winch compiler backend.
GHSA-f984-pcp8-v2p7Panic when transcoding misaligned utf-16 strings.
GHSA-jxhv-7h78-9775Panic when lifting
flagscomponent value.
GHSA-m758-wjhj-p3jqHeap OOB read in component model UTF-16 to latin1+utf16 string transcoding.
GHSA-hx6p-xpx3-jvvvData leakage between pooling allocator instances.
GHSA-6wgr-89rj-399pHost data leakage with 64-bit tables and Winch.
GHSA-m9w2-8782-2946
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested wasmtime-compiler-reviewers for a review on PR #13004.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested fitzgen for a review on PR #13004.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested wasmtime-default-reviewers for a review on PR #13004.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested wasmtime-core-reviewers for a review on PR #13004.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):cfallin submitted PR review.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:39):alexcrichton has enabled auto merge for PR #13004.
Wasmtime GitHub notifications bot (Apr 09 2026 at 15:06):alexcrichton updated PR #13004.
Wasmtime GitHub notifications bot (Apr 09 2026 at 15:47):alexcrichton merged PR #13004.
Last updated: Apr 12 2026 at 23:10 UTC