CVE-2026-34942
- Source
- https://cve.org/CVERecord?id=CVE-2026-34942
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34942.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-34942
- Aliases
- Downstream
- Related
- Published
- 2026-04-09T18:32:56.456Z
- Modified
- 2026-05-28T18:29:27.377699229Z
- Severity
-
- 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS Calculator
- Summary
- Wasmtime panics when transcoding misaligned utf-16 strings
- Details
-
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34942.json", "cwe_ids": [ "CWE-129" ], "cna_assigner": "GitHub_M" }- References