DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34942: CVE-2026-34942: Denial of Service via Unaligned Memory Allocation in Wasmtime Component Model

#security #cve #cybersecurity

CVE-2026-34942: Denial of Service via Unaligned Memory Allocation in Wasmtime Component Model

Vulnerability ID: CVE-2026-34942
CVSS Score: 5.9
Published: 2026-04-09

Wasmtime fails to verify the alignment of memory pointers returned by guest modules during UTF-16 string transcoding. A malicious guest can exploit this by returning an unaligned pointer from its reallocation function, triggering an unrecoverable host panic and causing a complete denial of service.

TL;DR

A flaw in Wasmtime's Component Model ABI handling allows a malicious WebAssembly guest to crash the host runtime by supplying an unaligned memory pointer during string transcoding operations.

Technical Details

  • CWE ID: CWE-129
  • Attack Vector: Network
  • CVSS v4.0: 5.9 (Medium)
  • EPSS Score: 0.00014
  • Primary Impact: Denial of Service (DoS)
  • Exploit Status: None
  • KEV Status: Not Listed

Affected Systems

  • Wasmtime Runtime
  • Wasmtime Component Model ABI
  • Fast-call Trampoline (fact) Compiler
  • Wasmtime: < 24.0.7 (Fixed in: 24.0.7)
  • Wasmtime: >= 25.0.0, < 36.0.7 (Fixed in: 36.0.7)
  • Wasmtime: >= 37.0.0, < 42.0.2 (Fixed in: 42.0.2)
  • Wasmtime: >= 43.0.0, < 43.0.1 (Fixed in: 43.0.1)

Code Analysis

Commit: 96dde3a

Add verification for memory alignment after guest realloc execution within the fact compiler.

self.verify_aligned(dst_opts.data_model.unwrap_memory(), dst.ptr.idx, 2);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Wasmtime dependencies to patched versions (24.0.7, 36.0.7, 42.0.2, 43.0.1).
  • Audit internal codebases for Wasmtime runtime embedding.
  • If utilizing the Component Model, ensure all string transcoding paths operate on updated infrastructure.

Remediation Steps:

  1. Identify projects utilizing Wasmtime as a runtime dependency.
  2. Modify Cargo.toml to specify a patched Wasmtime version.
  3. Execute cargo update to pull the remediated crates.
  4. Rebuild the host application and deploy to target environments.
  5. Verify that the deployment correctly handles WebAssembly traps triggered by misaligned guest pointers.

References

Read the full report for CVE-2026-34942 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)