CVE-2026-34944: Wasmtime Cranelift Passive Data Libcall Toctou
Using Cranelift built-in libcalls for Wasm passive data segments (`array.new_data`, `memory.init`, `data.drop`) is unsafe under asynchronous (fiber-based) execution. It creates a Time-of-Check to Time-of-Use (TOCTOU) vulnerability where bounds checks are performed before an implicit fiber yield, exposing segments to concurrent mutation or deletion. Inline bo
Rustβgreprules fetch cve-2026-34944-wasmtime-cranelift-passive-data-libcall-toctou --engine opengrepDescription
Using Cranelift built-in libcalls for Wasm passive data segments (`array.new_data`, `memory.init`, `data.drop`) is unsafe under asynchronous (fiber-based) execution. It creates a Time-of-Check to Time-of-Use (TOCTOU) vulnerability where bounds checks are performed before an implicit fiber yield, exposing segments to concurrent mutation or deletion. Inline bo
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0