DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34943: CVE-2026-34943: Host-Side Panic and Denial of Service in Wasmtime Dynamic Lifting

#security #cve #cybersecurity

CVE-2026-34943: Host-Side Panic and Denial of Service in Wasmtime Dynamic Lifting

Vulnerability ID: CVE-2026-34943
CVSS Score: 5.6
Published: 2026-04-09

Wasmtime is vulnerable to a denial-of-service condition due to a host-side panic triggered when dynamically lifting WebAssembly Component Model flags types. The dynamic lifter fails to ignore undefined bits provided by a guest, leading to an unhandled exception.

TL;DR

A missing bitmasking step in Wasmtime's dynamic lifter allows malicious WebAssembly guests to crash the host runtime by returning extraneous bits in a flags type, causing a Rust panic.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-248 (Uncaught Exception)
  • Attack Vector: Network (Requires Module Upload/Execution Privileges)
  • CVSS 4.0 Score: 5.6 (Medium)
  • Impact: Denial of Service (Host Process Panic)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Wasmtime WebAssembly Runtime Engine (Dynamic Val API deployments)
  • Host applications utilizing Wasmtime's wasmtime::component::Val for component model integration
  • Wasmtime: < 24.0.7 (Fixed in: 24.0.7)
  • Wasmtime: >= 25.0.0, < 36.0.7 (Fixed in: 36.0.7)
  • Wasmtime: >= 37.0.0, < 42.0.2 (Fixed in: 42.0.2)
  • Wasmtime: >= 43.0.0, < 44.0.1 (Fixed in: 43.0.1)

Mitigation Strategies

  • Upgrade Wasmtime dependencies to one of the patched release versions.
  • Migrate host applications to utilize statically generated bindings via the bindgen! macro.
  • Restrict WebAssembly component upload and instantiation privileges to highly trusted operators until patches can be deployed.

Remediation Steps:

  1. Identify all host applications relying on the Wasmtime runtime engine.
  2. Review the project source code to determine if the wasmtime::component::Val API is used for dynamic guest interactions.
  3. Update the Cargo.toml file to reference the corresponding patched Wasmtime version (e.g., 43.0.1).
  4. Recompile the host application and execute regression testing.
  5. Deploy the updated host binaries to production environments.

References

Read the full report for CVE-2026-34943 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)