alt Hacker News> I don't ever want to run untrusted code from the internet outside of a sandbox ever again
WASM is great, but I think it's a wrong approach for sandboxing problem. It's technically possible to sandbox native applications (compiled into target machine code) using OS-builtin mechanisms, but it's not done for compatibility reasons, because this is the way things were done last 50 years or so.
Replies
Exactly. It is entirely a misconception to believe that WASM is this silver bullet on sandboxing and it is not that great security-wise I’m afraid.
It is only now being inspected by researchers and attackers who have found sandbox escapes [0] (chrome 0day), out-of-bounds [1] / use-after-free [2] and many other [3] flaws [4] in WebAssembly which I also agree that it is not enough for sandboxing at all.
[0] https://nvd.nist.gov/vuln/detail/CVE-2026-11645
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=2009901
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=2013741
[3] https://www.miggo.io/vulnerability-database/cve/CVE-2026-269...
[4] https://github.com/bytecodealliance/wasm-micro-runtime/secur...
sandboxing native apps just gives you security. with wasm you also get a single portable binary that can run on x86 windows, arm64 linux and in your browser with zero modification. you dont need to write platform specific code or use third party frameworks.