CVE-2026-34942Improper Validation of Array Index in Wasmtime

CWE-129Improper Validation of Array IndexCWE-823Use of Out-of-range Pointer OffsetCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents7 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 96.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bytecodealliance Wasmtime
Timeline
PublishedApr 9

Description

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. H

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected Packages2 packages

CVEListV5bytecodealliance/wasmtime< 24.0.7+3
crates.iobytecodealliance/wasmtime25.0.036.0.7+4

🔴Vulnerability Details

4
OSV
Wasmtime: Panic when transcoding misaligned utf-16 strings2026-04-09
VulDB
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 array index (GHSA-jxhv-7h78-9775)2026-04-09
OSV
Panic when transcoding misaligned component model UTF-16 strings2026-04-09
GHSA
Wasmtime: Panic when transcoding misaligned utf-16 strings2026-04-09

📋Vendor Advisories

1
Red Hat
wasmtime: Wasmtime: Denial of Service via improper string alignment verification2026-04-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-34942 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-34942 tree-sitter: Wasmtime: Denial of Service via improper string alignment verification [fedora-all]2026-04-09
Bugzilla
CVE-2026-34942 wasmtime: Wasmtime: Denial of Service via improper string alignment verification2026-04-09