CVE-2026-35195: CWE-787: Out-of-bounds Write in bytecodealliance wasmtime
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest's linear memory, such as host data structures or other guests's linear memories. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
AI Analysis
Technical Summary
Wasmtime's implementation of string transcoding between components contains a bug where the return value of a guest component's realloc is not validated before the host writes through the pointer. This enables a guest to cause out-of-bounds writes up to 4GiB away from the guest's linear memory base. By default, Wasmtime reserves 4GiB of virtual memory, so the host typically aborts due to unhandled faults when hitting unmapped memory. However, configurations with less reserved memory and no guard pages may allow corruption of host data structures or other guests' memory. The issue affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, where it has been fixed.
Potential Impact
This vulnerability can cause the host process running Wasmtime to abort due to unhandled memory faults when the host writes to unmapped memory. In some configurations, it may lead to corruption of host data structures or other guests' linear memories, potentially impacting host stability and security. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these fixed versions or later to remediate the issue. Patch status is not explicitly stated beyond these fixed versions, so users should consult the vendor advisory for the latest remediation guidance. No other mitigations are specified.
CVE-2026-35195: CWE-787: Out-of-bounds Write in bytecodealliance wasmtime
Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's realloc is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string bytes to an arbitrary location up to 4GiB away from the base of linear memory. These writes on the host could hit unmapped memory or could corrupt host data structures depending on Wasmtime's configuration. Wasmtime by default reserves 4GiB of virtual memory for a guest's linear memory meaning that this bug will by default on hosts cause the host to hit unmapped memory and abort the process due to an unhandled fault. Wasmtime can be configured, however, to reserve less memory for a guest and to remove all guard pages, so some configurations of Wasmtime may lead to corruption of data outside of a guest's linear memory, such as host data structures or other guests's linear memories. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Wasmtime's implementation of string transcoding between components contains a bug where the return value of a guest component's realloc is not validated before the host writes through the pointer. This enables a guest to cause out-of-bounds writes up to 4GiB away from the guest's linear memory base. By default, Wasmtime reserves 4GiB of virtual memory, so the host typically aborts due to unhandled faults when hitting unmapped memory. However, configurations with less reserved memory and no guard pages may allow corruption of host data structures or other guests' memory. The issue affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, where it has been fixed.
Potential Impact
This vulnerability can cause the host process running Wasmtime to abort due to unhandled memory faults when the host writes to unmapped memory. In some configurations, it may lead to corruption of host data structures or other guests' linear memories, potentially impacting host stability and security. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1. Users should upgrade to one of these fixed versions or later to remediate the issue. Patch status is not explicitly stated beyond these fixed versions, so users should consult the vendor advisory for the latest remediation guidance. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T18:48:58.936Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7f88e1cc7ad14da0c179f
Added to database: 4/9/2026, 7:05:50 PM
Last enriched: 4/17/2026, 12:01:34 PM
Last updated: 5/25/2026, 2:43:32 AM
Views: 71
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.