Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest's linear memory, such as host data structures or other guests's linear memories. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary memory write
Action: Immediate Patch
AI Analysis

Impact

Wasmtime’s implementation of string transcoding between components fails to validate the memory address returned by a guest component’s realloc function. This flaw allows a malicious guest to cause the host to write arbitrary transcoded string bytes to a location anywhere up to 4 GiB away from the base of linear memory. The resulting out‑of‑bounds write can corrupt host data structures, other guests’ memories, or trigger an unhandled fault that aborts the process. Such corruption or crash can enable arbitrary code execution or lead to denial of service.

Affected Systems

The vulnerability affects the Wasmtime runtime provided by Bytecode Alliance. All releases before version 24.0.7, 36.0.7, 42.0.2, and 43.0.1 are impacted. The fix is available in those exact versions and any later maintenance releases.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity. The exploit relies on a guest WebAssembly component that can invoke the vulnerable reclamation logic, so an attacker must be able to supply and load a malicious component into the Wasmtime host. Hosts configured with the default 4 GiB guest memory and guard pages will typically crash the process, while hosts reducing the reserved memory or disabling guard pages may suffer data corruption, potentially enabling remote code execution. No known public exploits exist and the vulnerability is not listed in the KEV catalog; however organizations running unpatched Wasmtime versions should consider the risk significant due to the potential impact on host integrity.

Generated by OpenCVE AI on April 9, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 24.0.7, 36.0.7, 42.0.2, 43.0.1, or any later release that contains the fix.

Generated by OpenCVE AI on April 9, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-394w-hwhg-8vgm Wasmtime has out-of-bounds write or crash when transcoding component model strings
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

threat_severity

Moderate

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest's linear memory, such as host data structures or other guests's linear memories. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime has an out-of-bounds write or crash when transcoding component model strings
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T18:55:56.467Z

Reserved: 2026-04-01T18:48:58.936Z

Link: CVE-2026-35195

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T19:16:25.500

Modified: 2026-04-09T19:16:25.500

Link: CVE-2026-35195

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:55:56Z

Links: CVE-2026-35195 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:51Z

Weaknesses