Out-of-bounds Read in Bytecodealliance Wasmtime

CVE-2026-34941

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byt…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (5.4th percentile) — read the EPSS interpretation.

Affected products

Bytecodealliance Wasmtime — versions < 24.0.7, >= 25.0.0, < 36.0.7, >= 37.0.0, < 42.0.2

Weakness classification (CWE)

CWE-125 — Out-of-bounds Read

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv (x_refsource_CONFIRM)