Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest's linear memory, such as host data structures or other guests's linear memories. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
AnalysisAI
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.
Technical ContextAI
Wasmtime is a WebAssembly runtime that implements component-based interoperability including string transcoding between guest components and the host. The vulnerability resides in the string transcoding logic, which calls a guest-provided realloc function to allocate memory for transcoded strings. The root cause (CWE-787: Out-of-bounds Write) stems from insufficient validation of the realloc return value before the host writes transcoded string data through the returned pointer. The guest component can return an arbitrary pointer value, allowing the host to write controlled data to any memory location within the 4GiB address range. The impact depends critically on Wasmtime's memory configuration: the default setup reserves 4GiB of contiguous virtual address space with guard pages at the boundaries, causing out-of-bounds writes to fault on unmapped memory; non-default configurations that reduce the virtual memory reservation or remove guard pages allow direct memory corruption. Affected products span the Wasmtime runtime across all versions prior to the patched releases (CPE: cpe:2.3:a:bytecodealliance:wasmtime).
RemediationAI
Upgrade Wasmtime to patched versions: 24.0.7 or later for the 24.x branch, 36.0.7 or later for the 36.x branch, 42.0.2 or later for the 42.x branch, or 43.0.1 or later for the 43.x branch. Interim mitigations include maintaining default Wasmtime configuration with 4GiB virtual memory reservation and enabled guard pages, which will cause exploitation attempts to fault on unmapped memory rather than corrupt data. Applications should implement strict component provenance verification and avoid loading untrusted or unverified WebAssembly components until patched. Detailed remediation guidance is available in the official security advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21039
GHSA-394w-hwhg-8vgm