{"id":"CVE-2026-34942","summary":"Wasmtime panics when transcoding misaligned utf-16 strings","details":"Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.","aliases":["GHSA-jxhv-7h78-9775","RUSTSEC-2026-0092"],"modified":"2026-05-28T18:29:27.377699229Z","published":"2026-04-09T18:32:56.456Z","related":["CGA-7f8x-xjfg-9cq8","SUSE-SU-2026:21789-1","openSUSE-SU-2026:20749-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34942.json","cwe_ids":["CWE-129"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34942.json"},{"type":"ADVISORY","url":"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34942"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bytecodealliance/wasmtime","events":[{"introduced":"be23469ece57c0be64904f12111c8d808b0ce4ac"},{"fixed":"f302ebd6be3b452eff175f8af6ae792b1d703330"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34942.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"}]}