WebAssembly is an emerging secure programming language and portable instruction set architecture, and has been deployed in diverse security-critical scenarios due to its safety advantages. However, WebAssembly’s linear memory is still vulnerable to buffer overflows due to the lack of effective protection mechanism, defeating its security guarantees. In this paper, we present VMCanary, the first framework for effective WebAssembly memory protection, by leveraging a canary approach but with the aid from WebAssembly virtual machines (VMs). Our key idea is that, due to the fact that WebAssembly is a managed programming language to be executed by underlying WebAssembly VMs, the VMs must understand any protection mechanisms already enforced in programs. With this key idea, we first propose the concept of canary in code, which is like a traditional canary in data but whose semantics is understandable by underlying WebAssembly VMs. To realize this kind of canary, we introduced two novel WebAssembly instructions by defining their semantics. Furthermore, we designed an instrumentation for WebAssembly binaries to instrument these two instructions automatically, hence no sources and compiler toolchain modifications are required. We have implemented a software prototype for VMCanary, and have conducted extensive experiment to evaluate it on micro benchmarks and 59 real-world CWEs. Experimental results demonstrated that VMCanary is effective in protecting Wasm memory with negligible overhead (3% on average).