Skip to main content

Wasmtime CVE-2026-34942

| EUVDEUVD-2026-20990 MEDIUM
Improper Validation of Array Index (CWE-129)
2026-04-09 GitHub_M GHSA-jxhv-7h78-9775
5.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.6 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 18:45 euvd
EUVD-2026-20990
Analysis Generated
Apr 09, 2026 - 18:45 vuln.today
CVE Published
Apr 09, 2026 - 18:32 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

AnalysisAI

Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 fails to properly validate pointer alignment when transcoding strings into UTF-16 or Latin-1+UTF-16 encodings within the Component Model, allowing authenticated malicious WebAssembly guests to trigger host panics by passing specially crafted unaligned pointers across component boundaries. This denial-of-service vulnerability requires authenticated access and specific string configurations but results in controllable host crashes. CVSS score 5.9 reflects moderate severity with attack vector network and authentication requirement; SSVC framework rates exploitation as not yet observed with non-automatable exploitation.

Technical ContextAI

Wasmtime's Component Model provides a standardized interface for WebAssembly components to interact with host runtimes through string transcoding operations. The vulnerability resides in the string transcoding implementation for UTF-16 and Latin-1+UTF-16 character encodings, where memory reallocation occurs during the conversion process. The root cause is inadequate alignment verification of reallocated memory pointers prior to passing them to host functions for transcoding. CWE-129 (Improper Validation of Array Index) indicates that the vulnerability stems from insufficient bounds or alignment checking on memory addresses used as array indices or for direct memory operations. Affected products are identified by CPE cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:*, affecting all Wasmtime versions below the patched releases across multiple release branches.

RemediationAI

Upgrade to Wasmtime 24.0.7, 36.0.7, 42.0.2, or 43.0.1 or later depending on your currently deployed branch. These patched versions correct the alignment validation in string transcoding implementations. No workarounds are available for affected versions; patching is the only remediation. Users should prioritize updates if running untrusted or adversarially-controlled WebAssembly guests, as the vulnerability requires authenticated access and guest-side code execution but results in controllable host crashes. Consult https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775 for release notes and confirmation of patch availability.

CVE-2023-26489 CRITICAL
9.9 Mar 08

wasmtime is a fast and secure runtime for WebAssembly. Rated critical severity (CVSS 9.9), this vulnerability is remotel

CVE-2022-39394 CRITICAL
9.8 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2022-24791 CRITICAL
9.8 Mar 31

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. Rated critical severity (CVSS 9.8), this vu

CVE-2024-30266 MEDIUM POC
5.5 Apr 04

wasmtime is a runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Pu

CVE-2026-34971 CRITICAL
9.0 Apr 09

Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, a

CVE-2023-30624 HIGH
8.8 Apr 27

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-31146 HIGH
8.8 Jul 21

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-39393 HIGH
8.6 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.6), this vulnerability is remotely exploit

CVE-2026-27572 HIGH
7.5 Feb 24

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowin

CVE-2026-27195 HIGH
7.5 Feb 24

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are c

CVE-2022-31169 HIGH
7.5 Jul 22

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2022-39392 HIGH
7.4 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.4), this vulnerability is remotely exploit

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2026-34942 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy