CVE-2026-34941
published 2026-04-09CVE-2026-34941: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to…
PriorityP346high8.1CVSS 3.1
AVNACLPRLUINSUCHINAH
EPSS
0.38%
29.4th percentile
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond the end of linear memory may be read and interpreted as UTF-16. A host segfault is a denial-of-service vulnerability in Wasmtime, and possibly being able to read beyond the end of linear memory is additionally a vulnerability. Note that reading beyond the end of linear memory requires nonstandard configuration of Wasmtime, specifically with guard pages disabled. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
osv·2026-04-09
CVE-2026-34941 Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv
For more information see the GitHub-hosted security advisory.
VulDB
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 out-of-bounds (GHSA-hx6p-xpx3-jvvv)
vuldb·2026-04-09·CVSS 6.9
CVE-2026-34941 [MEDIUM] bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 out-of-bounds (GHSA-hx6p-xpx3-jvvv)
A vulnerability described as problematic has been identified in bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0. The affected element is an unknown function. Such manipulation leads to out-of-bounds read.
This vulnerability is listed as CVE-2026-34941. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is recommended.
OSV
Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
osv·2026-04-09
CVE-2026-34941 [MEDIUM] Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
### Summary
Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units.
This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond
GHSA
Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
ghsa·2026-04-09
CVE-2026-34941 [MEDIUM] CWE-125 Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
### Summary
Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units.
This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond
Red Hat
wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation
vendor_redhat·2026-04-09·CVSS 6.9
CVE-2026-34941 [MEDIUM] CWE-135 wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation
wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation
A flaw was found in Wasmtime, a runtime for WebAssembly. When transcoding a UTF-16 string to the latin1+utf16 component-model encoding, Wasmtime incorrectly validates the byte length of the input string, checking the number of code units instead of the actual byte length. This vulnerability can lead to a Denial of Service (DoS) by causing the host process to terminate with a segmentation fault. In nonstandard configurations where guard pages are disabled, this flaw may also allow for information disclosure by reading beyond the end of WebAssembly's linear memory.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the R
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-34941 wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation
bugzilla·2026-04-09·CVSS 6.9
CVE-2026-34941 [MEDIUM] CVE-2026-34941 wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation
CVE-2026-34941 wasmtime: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process
Bugzilla
CVE-2026-34941 tree-sitter: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation [fedora-all]
bugzilla·2026-04-09·CVSS 6.9
CVE-2026-34941 [MEDIUM] CVE-2026-34941 tree-sitter: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation [fedora-all]
CVE-2026-34941 tree-sitter: Wasmtime: Denial of Service and potential information disclosure via incorrect UTF-16 string validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Wiz
CVE-2026-34941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34941 [MEDIUM] CVE-2026-34941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34941 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without gua
2026-04-09
Published