CVE-2026-34941 Overview
CVE-2026-34941 is an out-of-bounds read vulnerability in Wasmtime, a runtime for WebAssembly. The vulnerability exists in the UTF-16 string transcoding functionality when converting to the latin1+utf16 component-model encoding. The flaw stems from incorrect validation of the byte length during bounds checking, where the implementation checks the number of code units instead of the actual byte length (which is twice the size of code units). This miscalculation can cause the host to read beyond the end of a WebAssembly module's linear memory.
Critical Impact
In default configurations, exploitation results in a segmentation fault causing denial of service. With guard pages disabled, attackers may read host memory beyond WebAssembly's linear memory boundary.
Affected Products
- Wasmtime versions prior to 24.0.7
- Wasmtime versions prior to 36.0.7
- Wasmtime versions prior to 42.0.2 and 43.0.1
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-34941 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34941
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read). The core issue lies in the transcoding logic for UTF-16 strings within Wasmtime's component model implementation. When processing UTF-16 encoded data for conversion to the latin1+utf16 encoding, the bounds validation incorrectly uses the count of code units rather than the actual byte length. Since UTF-16 uses 2 bytes per code unit, this creates a validation gap where the actual memory access could extend up to twice the validated boundary.
The exploitation scenario depends on Wasmtime's configuration. In the default configuration with guard pages enabled, an attempt to read beyond linear memory will hit an unmapped guard page, causing a segmentation fault and process termination. While this constitutes a denial-of-service condition, the security impact is more severe in non-standard configurations where guard pages are disabled. In such cases, the out-of-bounds read could access host memory beyond the WebAssembly sandbox boundary, potentially exposing sensitive information.
Root Cause
The root cause is an improper input validation error in the UTF-16 transcoding bounds check. The validation logic uses code unit count instead of byte length, failing to account for UTF-16's 2-byte-per-code-unit encoding. This mathematical oversight in the boundary calculation creates the conditions for an out-of-bounds memory access during the transcoding operation.
Attack Vector
The vulnerability can be exploited over the network (AV:N) as WebAssembly modules are commonly loaded from remote sources. An attacker would need to craft a malicious WebAssembly module with a specially constructed UTF-16 string that triggers the flawed transcoding path. When the host runtime attempts to transcode this string, it will read beyond the intended memory boundary due to the incorrect bounds calculation.
The attack requires low privilege (authenticated access to load WebAssembly modules) and some user interaction to trigger the vulnerable code path. The primary impact is on availability through denial of service, with potential confidentiality impact in non-default configurations where guard pages are disabled.
Detection Methods for CVE-2026-34941
Indicators of Compromise
- Unexpected process crashes or segmentation faults in applications utilizing Wasmtime runtime
- Abnormal memory access patterns during WebAssembly module execution
- Repeated termination of services running WebAssembly workloads with SIGSEGV signals
Detection Strategies
- Monitor application logs for segmentation fault occurrences in Wasmtime-based services
- Implement runtime monitoring for memory access violations in WebAssembly execution environments
- Deploy application-level crash detection to identify potential exploitation attempts
Monitoring Recommendations
- Enable comprehensive logging for WebAssembly module loading and execution events
- Configure alerting for unusual patterns of process termination in Wasmtime-based applications
- Review audit logs for suspicious WebAssembly module submissions that may target string transcoding functions
How to Mitigate CVE-2026-34941
Immediate Actions Required
- Upgrade Wasmtime to version 24.0.7, 36.0.7, 42.0.2, or 43.0.1 depending on your current major version
- Ensure guard pages are enabled (default configuration) to limit exploitation to denial of service
- Review any custom Wasmtime configurations that may have disabled guard pages
Patch Information
The vulnerability has been fixed in Wasmtime versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1. Organizations should upgrade to the appropriate patched version based on their current deployment. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Ensure Wasmtime is running with default guard page configuration enabled to contain exploitation to denial of service
- Implement input validation on WebAssembly modules before loading them into the runtime
- Consider rate limiting or restricting the sources from which WebAssembly modules can be loaded
# Verify Wasmtime version and upgrade
wasmtime --version
# Update to patched version via cargo
cargo update -p wasmtime
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
