{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34942", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.660Z", "datePublished": "2026-04-09T18:32:56.456Z", "dateUpdated": "2026-04-09T19:36:13.614Z"}, "containers": {"cna": {"title": "Wasmtime panics when transcoding misaligned utf-16 strings", "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "lang": "en", "description": "CWE-129: Improper Validation of Array Index", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": "< 24.0.7", "status": "affected"}, {"version": ">= 25.0.0, < 36.0.7", "status": "affected"}, {"version": ">= 37.0.0, < 42.0.2", "status": "affected"}, {"version": ">= 43.0.0, < 44.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:32:56.456Z"}, "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1."}], "source": {"advisory": "GHSA-jxhv-7h78-9775", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T19:35:07.866289Z", "id": "CVE-2026-34942", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:36:13.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34942", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T19:35:07.866289Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:35:15.816Z"}}], "cna": {"title": "Wasmtime panics when transcoding misaligned utf-16 strings", "source": {"advisory": "GHSA-jxhv-7h78-9775", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"status": "affected", "version": "< 24.0.7"}, {"status": "affected", "version": ">= 25.0.0, < 36.0.7"}, {"status": "affected", "version": ">= 37.0.0, < 42.0.2"}, {"status": "affected", "version": ">= 43.0.0, < 44.0.1"}]}], "references": [{"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775", "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-129", "description": "CWE-129: Improper Validation of Array Index"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:32:56.456Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34942", "state": "PUBLISHED", "dateUpdated": "2026-04-09T19:36:13.614Z", "dateReserved": "2026-03-31T17:27:08.660Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T18:32:56.456Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "5A39DBFB-CD5E-4551-8885-053DF90E277A", "versionEndExcluding": "24.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "B5AB2157-3977-49F9-9058-6B16A2556170", "versionEndExcluding": "36.0.7", "versionStartIncluding": "25.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "1D7B70EB-93E3-4732-AB70-E6A531178941", "versionEndExcluding": "42.0.2", "versionStartIncluding": "37.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "15FD6AA4-973B-4647-9222-40FBDC16A6FD", "versionEndExcluding": "43.0.1", "versionStartIncluding": "43.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1."}], "id": "CVE-2026-34942", "lastModified": "2026-04-20T18:28:12.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T19:16:23.857", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "wasmtime: Wasmtime: Denial of Service via improper string alignment verification", "id": "2457011", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457011"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-823", "details": ["A flaw was found in Wasmtime, a runtime for WebAssembly. This vulnerability allows a malicious guest to trigger a host panic by improperly verifying the alignment of reallocated strings during transcoding. By transferring specific strings across components, an attacker can exploit this to cause a Denial of Service (DoS) on the host system, making it unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34942", "package_state": [{"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhcl-1-3-wasm-shim", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "virt-firmware-rs", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-04-09T18:32:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34942\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34942\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.0.0,36.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[37.0.0,42.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[43.0.0,44.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wasmtime", "source": "cna", "vendor": "bytecodealliance"}, "product": "wasmtime", "vendor": "bytecodealliance"}], "analysis": {"en": {"generated_at": "2026-04-10T01:23:09.097104+00:00", "value": {"mitigation_remediation": ["Upgrade Wasmtime to version 24.0.7 or later (36.0.7, 42.0.2, or 43.0.1).", "Verify that the runtime version matches one of the patched releases.", "Deploy the latest patches as soon as possible to eliminate the panic condition."], "summary": {"action": "Apply Patch", "impact": "Host Panic Leading to Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the bytecodealliance:wasmtime product. It is present in releases prior to 24.0.7, 36.0.7, 42.0.2 and 43.0.1. Users running any unsupported Wasmtime version that has not applied one of these fixes are at risk.", "description_and_impact": "Wasmtime, a WebAssembly runtime, contains a bug that causes the host to panic when transcoding misaligned UTF\u201116 strings. The panic occurs because the implementation does not verify the alignment of reallocated strings before passing them to the host. Triggering this panic results in a denial\u2011of\u2011service condition, as the host will terminate or restart a component. The weakness is identified as out\u2011of\u2011bounds handling and misinterpretation of pointer alignment (CWE\u2011129 and CWE\u2011823).", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no currently confirmed widespread exploitation. The attack vector is inferred to be from a malicious guest component, which can supply specially crafted strings across Wasmtime components to force the host panic, thereby causing a denial\u2011of\u2011service. The required attacker capability is the ability to execute guest code within Wasmtime, which is typically local to the host environment."}}}}, "created": "2026-04-10T08:52:35.436489+00:00", "updated": "2026-04-10T09:31:44.591481+00:00", "vendors": ["bytecodealliance", "bytecodealliance$PRODUCT$wasmtime"]}