CVE-2026-34942
Unaligned Pointer Handling in Wasmtime Causes Host Panic DoS
Publication date: 2026-04-09
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | wasmtime | to 24.0.7 (exc) |
| bytecodealliance | wasmtime | From 25.0.0 (inc) to 36.0.7 (exc) |
| bytecodealliance | wasmtime | From 37.0.0 (inc) to 42.0.2 (exc) |
| bytecodealliance | wasmtime | From 43.0.0 (inc) to 43.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade Wasmtime to one of the patched versions: 24.0.7, 36.0.7, 42.0.2, or 43.0.1.
There are no known workarounds for this vulnerability, so upgrading is the only effective immediate action.
Additionally, monitoring for host panics caused by Wasmtime and restricting untrusted guest components may help reduce exposure until the upgrade is applied.
Can you explain this vulnerability to me?
CVE-2026-34942 is a moderate severity vulnerability in the Wasmtime Rust package affecting versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1. The issue arises because Wasmtime improperly verifies the alignment of reallocated strings when transcoding them into the Component Model's UTF-16 or Latin1+UTF-16 encodings.
This improper verification allows unaligned pointers to be passed to the host during transcoding, which can cause the host to panic. Malicious guest components can exploit this by transferring specially crafted strings at specific memory addresses, triggering a host panic.
This host panic is considered a denial-of-service (DoS) vector because the panic conditions are controlled by the guest, allowing attackers to disrupt host operation remotely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability primarily causes a denial-of-service (DoS) condition by triggering host panics through unaligned pointer handling during string transcoding in Wasmtime. It does not impact confidentiality or integrity of data.
Since the vulnerability affects availability but not confidentiality or integrity, its direct impact on compliance with standards like GDPR or HIPAAβwhich emphasize data protection and privacyβis limited.
However, availability is a component of many compliance frameworks, so organizations relying on Wasmtime might face challenges ensuring continuous service availability until the vulnerability is patched.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition on the host running Wasmtime. Specifically, an attacker controlling a guest component can trigger a host panic by sending specially crafted strings, causing the host to crash or become unavailable.
There is no impact on confidentiality or integrity, but the availability of the affected system is highly impacted. This can disrupt services relying on Wasmtime, potentially causing downtime or service interruptions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.
Detection would generally involve checking the version of the Wasmtime runtime in use to determine if it is one of the vulnerable versions.
Since the vulnerability is triggered by malicious guests sending specific strings causing host panics, monitoring for unexpected host panics or crashes related to Wasmtime could be an indirect indicator.