CVE-2026-35195 Overview
CVE-2026-35195 is an Out-of-Bounds Write vulnerability affecting Wasmtime, a runtime for WebAssembly. The vulnerability exists in Wasmtime's implementation of transcoding strings between components, where the return value of a guest component's realloc function is not properly validated before the host attempts to write through the pointer. This flaw enables a malicious guest component to cause the host to write arbitrary transcoded string bytes to memory locations up to 4GiB away from the base of linear memory.
Critical Impact
A guest component can corrupt host memory or cause denial of service by exploiting improper pointer validation during string transcoding operations.
Affected Products
- Wasmtime versions prior to 24.0.7
- Wasmtime versions prior to 36.0.7
- Wasmtime versions prior to 42.0.2 and 43.0.1
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-35195 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35195
Vulnerability Analysis
This vulnerability stems from a missing validation check in Wasmtime's string transcoding mechanism used for inter-component communication. When transcoding strings between WebAssembly components, the host runtime calls the guest's realloc function to allocate memory for the transcoded output. The critical flaw is that the pointer returned by realloc is used directly without validation, allowing a malicious guest to return an arbitrary pointer value.
By default, Wasmtime reserves 4GiB of virtual memory for a guest's linear memory space. When exploitation is attempted under this default configuration, the out-of-bounds write will typically hit unmapped memory regions, causing the host process to abort due to an unhandled memory access fault. This results in a denial of service condition.
However, Wasmtime can be configured to reserve less memory for guests and to remove guard pages entirely. In these non-default configurations, the vulnerability becomes significantly more dangerous, potentially allowing corruption of host data structures or other guests' linear memories. This could lead to more severe consequences including arbitrary code execution or sandbox escape scenarios.
Root Cause
The root cause is classified as CWE-787 (Out-of-bounds Write). The vulnerability exists because Wasmtime's string transcoding implementation trusts the return value from a guest component's realloc function without performing bounds validation. The host should verify that the returned pointer falls within the expected boundaries of the guest's linear memory before writing transcoded string data through it.
Attack Vector
The attack vector requires network access with low complexity but some prerequisites must be met. An attacker needs the ability to execute a malicious WebAssembly component within a Wasmtime runtime environment. The exploitation flow involves:
- The attacker crafts a malicious WebAssembly component with a specially designed realloc implementation
- When string transcoding occurs between components, the malicious realloc returns a pointer outside the expected memory bounds
- The host runtime writes transcoded string bytes to the attacker-controlled memory location
- Depending on configuration, this either crashes the host (DoS) or corrupts host/other guest memory
The vulnerability mechanism exploits the trust relationship between the host runtime and guest components during memory allocation for string operations. The realloc function, which should return a valid pointer within the guest's linear memory, instead returns an arbitrary value that the host uses without validation. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35195
Indicators of Compromise
- Unexpected process crashes in applications using Wasmtime runtime with memory access violations
- Abnormal memory allocation patterns in WebAssembly guest components
- Segmentation faults or access violations occurring during component-to-component string operations
- Evidence of memory corruption in host data structures adjacent to WebAssembly linear memory
Detection Strategies
- Monitor for unexpected crashes in Wasmtime-based applications with fault addresses significantly outside expected memory regions
- Implement runtime instrumentation to detect out-of-bounds pointer returns from guest realloc functions
- Use memory sanitizers (ASan/MSan) during development and testing to catch out-of-bounds writes
- Review logs for patterns indicating repeated crashes during string transcoding operations
Monitoring Recommendations
- Enable crash reporting and analysis for applications using Wasmtime runtime
- Implement alerting on unusual memory access patterns in WebAssembly execution environments
- Monitor system logs for segmentation faults and memory access violations in Wasmtime processes
- Track and analyze any abnormal behavior during inter-component communication
How to Mitigate CVE-2026-35195
Immediate Actions Required
- Upgrade Wasmtime to patched versions 24.0.7, 36.0.7, 42.0.2, or 43.0.1 immediately
- Audit current Wasmtime configurations for reduced memory reservations or disabled guard pages
- Review WebAssembly components from untrusted sources running in your environment
- Consider temporarily disabling inter-component string operations if immediate patching is not possible
Patch Information
Bytecode Alliance has released security patches addressing this vulnerability in multiple Wasmtime versions. Organizations should upgrade to one of the following fixed versions based on their current deployment:
- Version 24.0.7 for those on the 24.x release branch
- Version 36.0.7 for those on the 36.x release branch
- Version 42.0.2 for those on the 42.x release branch
- Version 43.0.1 for those on the 43.x release branch
For detailed patch information and additional guidance, refer to the GitHub Security Advisory.
Workarounds
- Ensure Wasmtime is configured with default memory reservation (4GiB) and guard pages enabled to limit impact to DoS
- Restrict execution of untrusted WebAssembly components until patching is complete
- Implement network-level controls to limit exposure of Wasmtime-based services
- Consider running Wasmtime instances in isolated environments with additional sandboxing
# Verify Wasmtime version and upgrade if vulnerable
wasmtime --version
# Example: Upgrade using cargo
cargo install wasmtime-cli --version 43.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
