Main Vulnerability Database Vulnerabilities #VU125753

Out-of-bounds write in Wasmtime - CVE-2026-35195

Published: April 10, 2026

Vulnerability identifier: #VU125753

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35195

CWE-ID: CWE-787

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Bytecode Alliance

Affected software:
Wasmtime

Detailed vulnerability description

The vulnerability allows a remote user to cause a denial of service or corrupt memory.

The vulnerability exists due to out-of-bounds write in the component model string transcoding implementation when processing a guest component's realloc return value during string transcoding. A remote user can provide a crafted realloc result to cause a denial of service or corrupt memory.

By default, exploitation typically causes the process to abort due to an unhandled fault, but configurations with reduced reserved memory or removed guard pages may allow corruption outside a guest's linear memory.

How to mitigate CVE-2026-35195

Install security update from vendor's website.

Sources

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm

Out-of-bounds write in Wasmtime - CVE-2026-35195

Detailed vulnerability description

How to mitigate CVE-2026-35195

Sources

Please verify you're human