PT-2026-31681 · Bytecode Alliance · Wasmtime
Published
2026-04-09
·
Updated
2026-04-09
·
CVE-2026-34942
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1
Description
Wasmtime's implementation of transcoding strings into the Component Model's
utf16 or latin1+utf16 encodings did not properly verify the alignment of reallocated strings. This could allow unaligned pointers to be passed to the host for transcoding, triggering a host panic. This panic can be triggered by malicious guests transferring specific strings across components with specific addresses. Host panics are considered a denial-of-service (DoS) vector as the panic conditions are controlled by the guest.Recommendations
Update to Wasmtime version 24.0.7 or later.
Update to Wasmtime version 36.0.7 or later.
Update to Wasmtime version 42.0.2 or later.
Update to Wasmtime version 43.0.1 or later.
Fix
Buffer Overflow
Improper Validation of Array Index
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wasmtime