CVE-2026-34942

Description

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:* - VULNERABLE

Wasmtime < 24.0.7

Wasmtime < 36.0.7

Wasmtime < 42.0.2

Wasmtime < 43.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

(module
  ;; PoC Concept: Trigger alignment issue in Wasmtime transcoding
  ;; This is a simplified representation. Real exploitation requires specific memory layout.
  (memory $0 1)
  (data $0 (i32.const 0) "\00\01") ;; Specific alignment bytes
  (func (export "trigger_dos")
    ;; In a vulnerable version, passing data with specific alignment
    ;; during utf16/latin1 transcoding could cause a host panic.
    nop
  )
)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34942
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34942
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34942/
[4] VulDB https://vuldb.com/cve/CVE-2026-34942
[5] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34942", "sourceIdentifier": "[email protected]", "published": "2026-04-09T19:16:23.857", "lastModified": "2026-04-20T18:28:12.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "versionEndExcluding": "24.0.7", "matchCriteriaId": "5A39DBFB-CD5E-4551-8885-053DF90E277A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "versionStartIncluding": "25.0.0", "versionEndExcluding": "36.0.7", "matchCriteriaId": "B5AB2157-3977-49F9-9058-6B16A2556170"}, {"vulnerable": true, "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "versionStartIncluding": "37.0.0", "versionEndExcluding": "42.0.2", "matchCriteriaId": "1D7B70EB-93E3-4732-AB70-E6A531178941"}, {"vulnerable": true, "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "versionStartIncluding": "43.0.0", "versionEndExcluding": "43.0.1", "matchCriteriaId": "15FD6AA4-973B-4647-9222-40FBDC16A6FD"}]}]}], "references": [{"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}