CVE-2026-35195 — Out-of-bounds Write in Wasmtime
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 98.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 9
Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory o…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
Affected Packages2 packages
🔴Vulnerability Details
4VulDB▶
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 out-of-bounds write (GHSA-394w-hwhg-8vgm)↗2026-04-09
📋Vendor Advisories
1Red Hat▶
Wasmtime: Wasmtime: Data corruption and potential arbitrary code execution via unvalidated memory reallocation↗2026-04-09
🕵️Threat Intelligence
73💬Community
2Bugzilla▶
CVE-2026-35195 Wasmtime: Wasmtime: Data corruption and potential arbitrary code execution via unvalidated memory reallocation↗2026-04-09
Bugzilla▶
CVE-2026-35195 tree-sitter: Wasmtime: Data corruption and potential arbitrary code execution via unvalidated memory reallocation [fedora-all]↗2026-04-09