CVE-2026-34941

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1

Description Wasmtime contains an issue where transcoding a UTF-16 string to the latin1+utf16 component-model encoding incorrectly validates the byte length of the input string during a bounds check. The number of code units was checked instead of the byte length, which is twice the size of the code units. This can cause the host to read beyond the end of a WebAssembly's linear memory when attempting to transcode nonexistent bytes. In Wasmtime's default configuration, this results in a segfault. However, if guard pages are disabled, host memory beyond the end of linear memory may be read and interpreted as UTF-16. A host segfault is a denial-of-service condition, and reading beyond the end of linear memory is an additional potential issue. This affects users running untrusted wasm components that use cross-component string passing with UTF-16 source and latin1+utf16 destination encodings.

Recommendations Update to Wasmtime version 24.0.7 or later. Update to Wasmtime version 36.0.7 or later. Update to Wasmtime version 42.0.2 or later. Update to Wasmtime version 43.0.1 or later.