DEBIAN-CVE-2026-34942

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-34942
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34942.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-34942
Upstream
Published
2026-04-09T19:16:23.857Z
Modified
2026-04-28T20:32:50.413663Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

References

Affected packages

Debian:13 / rust-wasmtime

Package

Name
rust-wasmtime
Purl
pkg:deb/debian/rust-wasmtime?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

26.*
26.0.1+dfsg-3
26.0.1+dfsg-4
26.0.1+dfsg-5
26.0.1+dfsg-6
26.0.1+dfsg-7
26.0.1+dfsg-8
26.0.1+dfsg-9
26.0.1+dfsg-10
27.*
27.0.0+dfsg-2
27.0.0+dfsg-3
27.0.0+dfsg-4
28.*
28.0.1+dfsg-1
28.0.1+dfsg-2
28.0.1+dfsg-3
29.*
29.0.1+dfsg-1
29.0.1+dfsg-2
29.0.1+dfsg-3
29.0.1+dfsg-4
29.0.1+dfsg-5
29.0.1+dfsg-6
29.0.1+dfsg-7
29.0.1+dfsg-8
36.*
36.0.5+dfsg-1
36.0.5+dfsg-2
36.0.5+dfsg-3
36.0.5+dfsg-4
36.0.5+dfsg-5
36.0.6+dfsg-1
36.0.6+dfsg-2
36.0.6+dfsg-3
36.0.6+dfsg-4
36.0.6+dfsg-5
36.0.6+dfsg-6
36.0.6+dfsg-7
36.0.7+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34942.json"

Debian:14 / rust-wasmtime

Package

Name
rust-wasmtime
Purl
pkg:deb/debian/rust-wasmtime?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
36.0.7+dfsg-1

Affected versions

26.*
26.0.1+dfsg-3
26.0.1+dfsg-4
26.0.1+dfsg-5
26.0.1+dfsg-6
26.0.1+dfsg-7
26.0.1+dfsg-8
26.0.1+dfsg-9
26.0.1+dfsg-10
27.*
27.0.0+dfsg-2
27.0.0+dfsg-3
27.0.0+dfsg-4
28.*
28.0.1+dfsg-1
28.0.1+dfsg-2
28.0.1+dfsg-3
29.*
29.0.1+dfsg-1
29.0.1+dfsg-2
29.0.1+dfsg-3
29.0.1+dfsg-4
29.0.1+dfsg-5
29.0.1+dfsg-6
29.0.1+dfsg-7
29.0.1+dfsg-8
36.*
36.0.5+dfsg-1
36.0.5+dfsg-2
36.0.5+dfsg-3
36.0.5+dfsg-4
36.0.5+dfsg-5
36.0.6+dfsg-1
36.0.6+dfsg-2
36.0.6+dfsg-3
36.0.6+dfsg-4
36.0.6+dfsg-5
36.0.6+dfsg-6
36.0.6+dfsg-7

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34942.json"