CVE-2026-34941: Heap Out-of-bounds Read in Wasmtime Component String Transcoding
Vulnerability ID: CVE-2026-34941
CVSS Score: 6.9
Published: 2026-04-09
Wasmtime contains a critical out-of-bounds read vulnerability in its Fast API Call Trampoline (fact) compiler. A logic error during UTF-16 string transcoding validates the string length using code units rather than byte sizes, allowing malicious WebAssembly guests to induce the host runtime into reading adjacent memory.
TL;DR
A bounds checking flaw in Wasmtime's UTF-16 transcoding logic allows WebAssembly modules to perform out-of-bounds memory reads, leading to denial of service or potential host memory disclosure.
Technical Details
- CWE ID: CWE-125
- Attack Vector: Local/Guest Module
- CVSS Score: 6.9
- EPSS Score: 0.00014
- Impact: Denial of Service / Information Disclosure
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- Applications embedding Wasmtime
- Serverless WebAssembly platforms
- Wasmtime CLI
-
Wasmtime: < 24.0.7 (Fixed in:
24.0.7) -
Wasmtime: 25.0.0 <= version < 36.0.7 (Fixed in:
36.0.7) -
Wasmtime: 37.0.0 <= version < 42.0.2 (Fixed in:
42.0.2) -
Wasmtime: 43.0.0 (Fixed in:
43.0.1)
Code Analysis
Commit: 96dde3a
Fix bounds checking logic for UTF-16 string transcoding
Commit: 9d73a6e
Fix bounds checking logic for UTF-16 string transcoding (42.0.x backport)
Mitigation Strategies
- Upgrade Wasmtime crate to a patched version
- Ensure Wasmtime linear memory guard pages are enabled and adequately sized
Remediation Steps:
- Identify all applications utilizing the Wasmtime runtime.
- Update the
wasmtimedependency inCargo.tomlto version43.0.1,42.0.2,36.0.7, or24.0.7depending on the active branch. - Recompile the host application and deploy the updated binaries.
- Verify runtime configurations to confirm guard page settings are not improperly disabled.
References
Read the full report for CVE-2026-34941 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)