CVE-2026-34942
Received Received - Intake
Unaligned Pointer Handling in Wasmtime Causes Host Panic DoS

Publication date: 2026-04-09

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34942
EUVD
EUVD-2026-20990
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
bytecodealliance wasmtime to 24.0.7 (exc)
bytecodealliance wasmtime From 25.0.0 (inc) to 36.0.7 (exc)
bytecodealliance wasmtime From 37.0.0 (inc) to 42.0.2 (exc)
bytecodealliance wasmtime From 43.0.0 (inc) to 43.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary and recommended mitigation step is to upgrade Wasmtime to one of the patched versions: 24.0.7, 36.0.7, 42.0.2, or 43.0.1.

There are no known workarounds for this vulnerability, so upgrading is the only effective immediate action.

Additionally, monitoring for host panics caused by Wasmtime and restricting untrusted guest components may help reduce exposure until the upgrade is applied.

Executive Summary

CVE-2026-34942 is a moderate severity vulnerability in the Wasmtime Rust package affecting versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1. The issue arises because Wasmtime improperly verifies the alignment of reallocated strings when transcoding them into the Component Model's UTF-16 or Latin1+UTF-16 encodings.

This improper verification allows unaligned pointers to be passed to the host during transcoding, which can cause the host to panic. Malicious guest components can exploit this by transferring specially crafted strings at specific memory addresses, triggering a host panic.

This host panic is considered a denial-of-service (DoS) vector because the panic conditions are controlled by the guest, allowing attackers to disrupt host operation remotely.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition on the host running Wasmtime. Specifically, an attacker controlling a guest component can trigger a host panic by sending specially crafted strings, causing the host to crash or become unavailable.

There is no impact on confidentiality or integrity, but the availability of the affected system is highly impacted. This can disrupt services relying on Wasmtime, potentially causing downtime or service interruptions.

Detection Guidance

There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.

Detection would generally involve checking the version of the Wasmtime runtime in use to determine if it is one of the vulnerable versions.

Since the vulnerability is triggered by malicious guests sending specific strings causing host panics, monitoring for unexpected host panics or crashes related to Wasmtime could be an indirect indicator.

Compliance Impact

This vulnerability primarily causes a denial-of-service (DoS) condition by triggering host panics through unaligned pointer handling during string transcoding in Wasmtime. It does not impact confidentiality or integrity of data.

Since the vulnerability affects availability but not confidentiality or integrity, its direct impact on compliance with standards like GDPR or HIPAAβ€”which emphasize data protection and privacyβ€”is limited.

However, availability is a component of many compliance frameworks, so organizations relying on Wasmtime might face challenges ensuring continuous service availability until the vulnerability is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart