CVE-2026-35195
Arbitrary Memory Write in Wasmtime String Transcoding Component
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | wasmtime | to 24.0.7 (exc) |
| bytecodealliance | wasmtime | From 25.0.0 (inc) to 36.0.7 (exc) |
| bytecodealliance | wasmtime | From 37.0.0 (inc) to 42.0.2 (exc) |
| bytecodealliance | wasmtime | 43.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35195 is a moderate severity vulnerability in the Wasmtime runtime for WebAssembly. The issue occurs because Wasmtime does not validate the return value of a guest component's realloc function before the host writes through the pointer during string transcoding between components.
This flaw allows a malicious guest to cause the host to write arbitrary transcoded string bytes out-of-bounds, up to 4 GiB away from the base of the guest's linear memory. By default, Wasmtime reserves 4 GiB of virtual memory for a guest's linear memory, so these out-of-bounds writes usually hit unmapped memory and cause the host process to abort due to an unhandled fault.
However, if Wasmtime is configured to reserve less memory and remove guard pages, this vulnerability can lead to corruption of host data structures or other guests' linear memories, potentially compromising host integrity.
The vulnerability is fixed in Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the host process running Wasmtime to crash unexpectedly due to out-of-bounds memory writes, resulting in a denial of service.
In certain configurations where Wasmtime reserves less memory and removes guard pages, the vulnerability can lead to corruption of host data structures or other guests' linear memories, potentially compromising the integrity of the host system.
The attack can be performed remotely with low complexity and does not require user interaction, but it does require low privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes the host process running Wasmtime to abort due to an unhandled fault when the guest triggers out-of-bounds writes. Detection can involve monitoring for unexpected Wasmtime process crashes or faults.
There are no specific commands provided to detect this vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wasmtime to one of the patched versions: 24.0.7, 36.0.7, 42.0.2, or 43.0.1.
No known workarounds exist, so upgrading is strongly advised to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Wasmtime allows a guest to cause out-of-bounds writes in the host memory, potentially leading to host process crashes or memory corruption. However, the impact on confidentiality and integrity is low, with the primary effect being high availability impact due to host process aborts.
There is no direct information indicating that this vulnerability leads to data breaches or unauthorized data access that would affect compliance with standards like GDPR or HIPAA.
Nonetheless, the potential for host data structure corruption in certain configurations could indirectly affect system stability and data integrity, which may have compliance implications depending on the environment and how Wasmtime is used.
Users are advised to upgrade to patched versions to mitigate these risks.