CVE-2026-34942
published 2026-04-09CVE-2026-34942: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.35%
27.3th percentile
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
wasmtime: Wasmtime: Denial of Service via improper string alignment verification
vendor_redhat·2026-04-09·CVSS 5.9
CVE-2026-34942 [MEDIUM] CWE-823 wasmtime: Wasmtime: Denial of Service via improper string alignment verification
wasmtime: Wasmtime: Denial of Service via improper string alignment verification
A flaw was found in Wasmtime, a runtime for WebAssembly. This vulnerability allows a malicious guest to trigger a host panic by improperly verifying the alignment of reallocated strings during transcoding. By transferring specific strings across components, an attacker can exploit this to cause a Denial of Service (DoS) on the host system, making it unavailable.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: redhat-user-workloads/rhcl-1-3-wasm-shim (Red Hat Connectivity Link 1) - Fix deferred
Package:
OSV
Wasmtime: Panic when transcoding misaligned utf-16 strings
osv·2026-04-09
CVE-2026-34942 [MEDIUM] Wasmtime: Panic when transcoding misaligned utf-16 strings
Wasmtime: Panic when transcoding misaligned utf-16 strings
### Impact
Wasmtime's implementation of transcoding strings into the Component Model's `utf16` or `latin1+utf16` encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses.
Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation.
### Patches
Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.
### Workarounds
Ther
VulDB
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 array index (GHSA-jxhv-7h78-9775)
vuldb·2026-04-09·CVSS 5.9
CVE-2026-34942 [MEDIUM] bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 array index (GHSA-jxhv-7h78-9775)
A vulnerability classified as problematic has been found in bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0. The impacted element is an unknown function. Performing a manipulation results in improper validation of array index.
This vulnerability is cataloged as CVE-2026-34942. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
OSV
Panic when transcoding misaligned component model UTF-16 strings
osv·2026-04-09
CVE-2026-34942 Panic when transcoding misaligned component model UTF-16 strings
Panic when transcoding misaligned component model UTF-16 strings
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775
For more information see the GitHub-hosted security advisory.
GHSA
Wasmtime: Panic when transcoding misaligned utf-16 strings
ghsa·2026-04-09
CVE-2026-34942 [MEDIUM] CWE-119 Wasmtime: Panic when transcoding misaligned utf-16 strings
Wasmtime: Panic when transcoding misaligned utf-16 strings
### Impact
Wasmtime's implementation of transcoding strings into the Component Model's `utf16` or `latin1+utf16` encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses.
Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation.
### Patches
Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.
### Workarounds
Ther
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-34942 tree-sitter: Wasmtime: Denial of Service via improper string alignment verification [fedora-all]
bugzilla·2026-04-09·CVSS 5.9
CVE-2026-34942 [MEDIUM] CVE-2026-34942 tree-sitter: Wasmtime: Denial of Service via improper string alignment verification [fedora-all]
CVE-2026-34942 tree-sitter: Wasmtime: Denial of Service via improper string alignment verification [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-34942 wasmtime: Wasmtime: Denial of Service via improper string alignment verification
bugzilla·2026-04-09·CVSS 5.9
CVE-2026-34942 [MEDIUM] CVE-2026-34942 wasmtime: Wasmtime: Denial of Service via improper string alignment verification
CVE-2026-34942 wasmtime: Wasmtime: Denial of Service via improper string alignment verification
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Wiz
CVE-2026-34942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34942 [MEDIUM] CVE-2026-34942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34942 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Source : NVD
## 5.9
Score
Published Apri
2026-04-09
Published