Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond the end of linear memory may be read and interpreted as UTF-16. A host segfault is a denial-of-service vulnerability in Wasmtime, and possibly being able to read beyond the end of linear memory is additionally a vulnerability. Note that reading beyond the end of linear memory requires nonstandard configuration of Wasmtime, specifically with guard pages disabled. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

Wasmtime will incorrectly validate the length of a UTF‑16 string when converting it to the component‑model UTF‑16+latin1 encoding. The check uses the number of code units instead of the byte length, which is twice that size, causing a read beyond the end of a WebAssembly module’s linear memory. In the default configuration the out‑of‑bounds read hits an unmapped guard page, terminating the process with a segmentation fault; when guard pages are disabled the host may read and interpret arbitrary memory, potentially exposing sensitive data.

Affected Systems

The affected product is the Wasmtime runtime from bytecodealliance, with all releases before 24.0.7, 36.0.7, 42.0.2, and 43.0.1 vulnerable. These versions are used in edge, container, and integration environments that execute WebAssembly modules.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating moderate severity, and it is not listed in the CISA KEV catalog. Exploitation requires a malicious or compromised WebAssembly module that includes a UTF‑16 string processed in component‑model mode. The attack vector could be local or remote depending on how the module is supplied. In default configurations the effect is a denial of service through a host crash, while disabling guard pages could also allow inadvertent memory reads exposing protected data.

Generated by OpenCVE AI on April 10, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 24.0.7, 36.0.7, 42.0.2 or 43.0.1 or later
  • Enable guard pages in the Wasmtime configuration
  • Avoid running untrusted WebAssembly modules until the patch is applied
  • Monitor runtime logs for segmentation faults that may indicate exploitation
  • Silently reject or sandbox any WebAssembly module containing component‑model UTF‑16 strings until the issue is fixed

Generated by OpenCVE AI on April 10, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hx6p-xpx3-jvvv Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
History

Mon, 20 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-135
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Thu, 09 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond the end of linear memory may be read and interpreted as UTF-16. A host segfault is a denial-of-service vulnerability in Wasmtime, and possibly being able to read beyond the end of linear memory is additionally a vulnerability. Note that reading beyond the end of linear memory requires nonstandard configuration of Wasmtime, specifically with guard pages disabled. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime has a Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:11:52.558Z

Reserved: 2026-03-31T17:27:08.660Z

Link: CVE-2026-34941

cve-icon Vulnrichment

Updated: 2026-04-10T14:11:48.773Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:23.693

Modified: 2026-04-20T18:28:46.393

Link: CVE-2026-34941

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:29:30Z

Links: CVE-2026-34941 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:45Z

Weaknesses