CVE-2026-34941
Published: 09 April 2026
Summary
CVE-2026-34941 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Bytecodealliance Wasmtime. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires identifying and patching the bounds check error in Wasmtime by upgrading to fixed versions, directly eliminating the out-of-bounds read vulnerability.
Memory protection mechanisms such as guard pages confine out-of-bounds reads to trigger a segfault on unmapped memory, preventing unauthorized access to host memory beyond WebAssembly linear memory.
Secure configuration settings enforce enabling guard pages and other protective defaults in Wasmtime, mitigating information disclosure risks from nonstandard configurations without such protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is directly exploited over the network by supplying a malicious WebAssembly module to a Wasmtime runtime, matching the definition of exploiting a public-facing application.
NVD Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when…
more
performing a bounds check. Specifically the number of code units were checked instead of the byte length, which is twice the size of the code units. This vulnerability can cause the host to read beyond the end of a WebAssembly's linear memory in an attempt to transcode nonexistent bytes. In Wasmtime's default configuration this will read unmapped memory on a guard page, terminating the process with a segfault. Wasmtime can be configured, however, without guard pages which would mean that host memory beyond the end of linear memory may be read and interpreted as UTF-16. A host segfault is a denial-of-service vulnerability in Wasmtime, and possibly being able to read beyond the end of linear memory is additionally a vulnerability. Note that reading beyond the end of linear memory requires nonstandard configuration of Wasmtime, specifically with guard pages disabled. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Deeper analysisAI
CVE-2026-34941 is an out-of-bounds read vulnerability (CWE-125) affecting Wasmtime, a runtime for WebAssembly, in versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1. The issue arises during transcoding of a UTF-16 string to the latin1+utf16 component-model encoding, where a bounds check incorrectly validates the number of code units instead of the actual byte length, which is twice as large. This flaw causes the host to read beyond the end of the WebAssembly module's linear memory while attempting to transcode nonexistent bytes.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by providing a malicious WebAssembly module that triggers the faulty transcoding. In Wasmtime's default configuration, this results in a segmentation fault upon reading unmapped memory on a guard page, leading to denial of service (A:H). If Wasmtime is nonstandardly configured without guard pages, the attacker may read host memory beyond the linear memory boundary and interpret it as UTF-16 data, potentially disclosing sensitive information (C:H).
The Wasmtime security advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv details the vulnerability and recommends upgrading to the fixed versions: 24.0.7, 36.0.7, 42.0.2, or 43.0.1. The CVSS v3.1 base score is 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), highlighting its high severity due to the combination of information disclosure and denial-of-service potential.
Details
- CWE(s)