CVE-2026-35195: Out-of-Bounds Write in Wasmtime Component Model Transcoding
Vulnerability ID: CVE-2026-35195
CVSS Score: 6.1
Published: 2026-04-09
Wasmtime fails to validate the return value of guest realloc functions during component string transcoding operations. This vulnerability allows a malicious WebAssembly guest component to direct the host runtime to write transcoded data outside the boundaries of the linear memory, resulting in a denial of service or potential memory corruption.
TL;DR
A missing bounds check in the Wasmtime trampoline compiler allows guest components to supply arbitrary memory offsets during string transcoding, resulting in an out-of-bounds write on the host system.
Technical Details
- CWE ID: CWE-787
- Attack Vector: Network
- CVSS 4.0: 6.1 (Medium)
- Impact: Availability Loss (High) / Potential Sandbox Escape
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- Wasmtime Runtime
- Fast Assembly Component Trampolines (FACT) Compiler
-
Wasmtime: < 24.0.7 (Fixed in:
24.0.7) -
Wasmtime: >= 25.0.0, < 36.0.7 (Fixed in:
36.0.7) -
Wasmtime: >= 37.0.0, < 42.0.2 (Fixed in:
42.0.2) -
Wasmtime: >= 43.0.0, < 43.0.1 (Fixed in:
43.0.1)
Code Analysis
Commit: 96dde3a
Fix Commit for v43.0.1
Commit: 9d73a6e
Fix Commit for v42.0.2
Commit: cd4b6ed
Release Commit for v43.0.1
Commit: 403f992
Release Commit for v42.0.2
Mitigation Strategies
- Upgrade Wasmtime dependencies to a patched version
- Ensure virtual memory reservations and guard pages are fully enabled to limit impact to DoS
Remediation Steps:
- Identify all projects utilizing the
wasmtimeRust crate. - Update the
Cargo.tomlfile to specify a patched version (e.g.,24.0.7,36.0.7,42.0.2,43.0.1). - Run
cargo update -p wasmtimeto update the lockfile. - Recompile the embedding host application.
- Deploy the updated host application to production environments.
References
Read the full report for CVE-2026-35195 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)