Skip to main content

Red Hat CVE-2026-35195

| EUVDEUVD-2026-21039 MEDIUM
Out-of-bounds Write (CWE-787)
2026-04-09 GitHub_M GHSA-394w-hwhg-8vgm
6.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Red Hat
6.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21039
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
CVE Published
Apr 09, 2026 - 18:55 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest's linear memory, such as host data structures or other guests's linear memories. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

AnalysisAI

Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.

Technical ContextAI

Wasmtime is a WebAssembly runtime that implements component-based interoperability including string transcoding between guest components and the host. The vulnerability resides in the string transcoding logic, which calls a guest-provided realloc function to allocate memory for transcoded strings. The root cause (CWE-787: Out-of-bounds Write) stems from insufficient validation of the realloc return value before the host writes transcoded string data through the returned pointer. The guest component can return an arbitrary pointer value, allowing the host to write controlled data to any memory location within the 4GiB address range. The impact depends critically on Wasmtime's memory configuration: the default setup reserves 4GiB of contiguous virtual address space with guard pages at the boundaries, causing out-of-bounds writes to fault on unmapped memory; non-default configurations that reduce the virtual memory reservation or remove guard pages allow direct memory corruption. Affected products span the Wasmtime runtime across all versions prior to the patched releases (CPE: cpe:2.3:a:bytecodealliance:wasmtime).

RemediationAI

Upgrade Wasmtime to patched versions: 24.0.7 or later for the 24.x branch, 36.0.7 or later for the 36.x branch, 42.0.2 or later for the 42.x branch, or 43.0.1 or later for the 43.x branch. Interim mitigations include maintaining default Wasmtime configuration with 4GiB virtual memory reservation and enabled guard pages, which will cause exploitation attempts to fault on unmapped memory rather than corrupt data. Applications should implement strict component provenance verification and avoid loading untrusted or unverified WebAssembly components until patched. Detailed remediation guidance is available in the official security advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2026-35195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy