CVE-2026-34943
Published: 09 April 2026
Summary
CVE-2026-34943 is a high-severity Uncaught Exception (CWE-248) vulnerability in Bytecodealliance Wasmtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like the panic in Wasmtime's flags value lifting, directly mitigated by upgrading to patched versions.
Mandates error handling that prevents security failures from uncaught exceptions, addressing the panic triggered by unexpected bits in flags-typed values.
Enforces validation of inputs from untrusted sources like malicious WebAssembly guests to detect and reject malformed flags values before processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables a malicious WebAssembly guest to supply crafted input that triggers an uncaught panic in the Wasmtime host runtime, directly facilitating Endpoint Denial of Service via application exploitation (T1499.004).
NVD Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the…
more
set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface. This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Deeper analysisAI
CVE-2026-34943 is a vulnerability in Wasmtime, a runtime for WebAssembly, affecting versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1. The issue arises during the lifting of a flags-typed component model value into the Val type, where Wasmtime panics if bits outside the specified flags are set, despite the component model requiring those bits to be ignored. This flaw is specific to Wasmtime's implementation of lifting into Val and flags-typed values within WIT interfaces; it does not impact usage of the flags! macro.
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). A malicious WebAssembly guest can supply a crafted flags-typed value to trigger the panic in the Wasmtime host, resulting in a denial-of-service condition classified under CWE-248 (Uncaught Exception).
The Wasmtime security advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq details the fix, recommending upgrades to Wasmtime versions 24.0.7, 36.0.7, 42.0.2, or 43.0.1 to mitigate the vulnerability.
Details
- CWE(s)