CVE-2026-34941Out-of-bounds Read in Wasmtime

CWE-125Out-of-bounds ReadCWE-135Incorrect Calculation of Multi-Byte String Length9 documents7 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 96.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bytecodealliance Wasmtime
Timeline
PublishedApr 9

Description

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly'

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5bytecodealliance/wasmtime< 24.0.7+3
crates.iobytecodealliance/wasmtime0.0.0-024.0.7+4

🔴Vulnerability Details

4
OSV
Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding2026-04-09
VulDB
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 out-of-bounds (GHSA-hx6p-xpx3-jvvv)2026-04-09
OSV
Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding2026-04-09
GHSA
Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding2026-04-09

📋Vendor Advisories

1
Red Hat
wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation2026-04-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-34941 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-34941 wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation2026-04-09
Bugzilla
CVE-2026-34941 tree-sitter: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation [fedora-all]2026-04-09