Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Host Panic Leading to Denial of Service
Action: Apply Patch
AI Analysis

Impact

Wasmtime, a WebAssembly runtime, contains a bug that causes the host to panic when transcoding misaligned UTF‑16 strings. The panic occurs because the implementation does not verify the alignment of reallocated strings before passing them to the host. Triggering this panic results in a denial‑of‑service condition, as the host will terminate or restart a component. The weakness is identified as out‑of‑bounds handling and misinterpretation of pointer alignment (CWE‑129 and CWE‑823).

Affected Systems

The vulnerability affects the bytecodealliance:wasmtime product. It is present in releases prior to 24.0.7, 36.0.7, 42.0.2 and 43.0.1. Users running any unsupported Wasmtime version that has not applied one of these fixes are at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no currently confirmed widespread exploitation. The attack vector is inferred to be from a malicious guest component, which can supply specially crafted strings across Wasmtime components to force the host panic, thereby causing a denial‑of‑service. The required attacker capability is the ability to execute guest code within Wasmtime, which is typically local to the host environment.

Generated by OpenCVE AI on April 10, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 24.0.7 or later (36.0.7, 42.0.2, or 43.0.1).
  • Verify that the runtime version matches one of the patched releases.
  • Deploy the latest patches as soon as possible to eliminate the panic condition.

Generated by OpenCVE AI on April 10, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxhv-7h78-9775 Wasmtime: Panic when transcoding misaligned utf-16 strings
History

Mon, 20 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-823
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 09 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime panics when transcoding misaligned utf-16 strings
Weaknesses CWE-129
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T19:36:13.614Z

Reserved: 2026-03-31T17:27:08.660Z

Link: CVE-2026-34942

cve-icon Vulnrichment

Updated: 2026-04-09T19:35:15.816Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:23.857

Modified: 2026-04-20T18:28:12.557

Link: CVE-2026-34942

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:32:56Z

Links: CVE-2026-34942 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:44Z

Weaknesses