Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37): Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton opened PR #13005 from alexcrichton:ghsa-backports-43 to bytecodealliance:release-43.0.0:
Fixes for the following issues
Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift.
GHSA-jhxm-h53p-jm7wWasmtime with Winch compiler backend may allow a sandbox-escaping memory
access.
GHSA-xx5w-cvp6-jv83Out-of-bounds write or crash when transcoding component model strings.
GHSA-394w-hwhg-8vgmHost panic when Winch compiler executes
table.fill.
GHSA-q49f-xg75-m9xwWasmtime segfault or unused out-of-sandbox load with
f64x2.splatoperator
on x86-64.
GHSA-qqfj-4vcm-26hvImproperly masked return value from
table.growwith Winch compiler backend.
GHSA-f984-pcp8-v2p7Panic when transcoding misaligned utf-16 strings.
GHSA-jxhv-7h78-9775Panic when lifting
flagscomponent value.
GHSA-m758-wjhj-p3jqHeap OOB read in component model UTF-16 to latin1+utf16 string transcoding.
GHSA-hx6p-xpx3-jvvvUse-after-free bug after cloning
wasmtime::Linker.
GHSA-hfr4-7c6c-48w2Data leakage between pooling allocator instances.
GHSA-6wgr-89rj-399pHost data leakage with 64-bit tables and Winch.
GHSA-m9w2-8782-2946
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested cfallin for a review on PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested wasmtime-compiler-reviewers for a review on PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested wasmtime-default-reviewers for a review on PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):alexcrichton requested wasmtime-core-reviewers for a review on PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:37):cfallin submitted PR review.
Wasmtime GitHub notifications bot (Apr 09 2026 at 14:39):alexcrichton has enabled auto merge for PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 15:06):alexcrichton updated PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 15:28):alexcrichton updated PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 15:51):alexcrichton merged PR #13005.
Wasmtime GitHub notifications bot (Apr 09 2026 at 15:59):bjorn3 commented on PR #13005:
The advisories are not yet public.
Wasmtime GitHub notifications bot (Apr 09 2026 at 16:18):cfallin commented on PR #13005:
@bjorn3 yes, this is our runbook process: we merge the fixes and the releases first, then once the artifacts are available, we flip the switch on the advisories.
Last updated: Apr 12 2026 at 23:10 UTC