Memory Corruption Flaw in Wasmtime Runtime Affecting Bytecode Alliance
CVE-2026-35195

6.1MEDIUM

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 9 April 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-35195?

Wasmtime is a runtime designed for WebAssembly, and prior versions contained a bug in how it handled string transcoding between components. This flaw permits a guest component's realloc return value to be mismanaged, potentially directing the host to write arbitrary memory locations within a 4GiB range from the base of its linear memory. Depending on specific configurations, this could lead to the host encountering unmapped memory and subsequent process termination due to unaddressed faults, or it could result in the corruption of essential host data structures. Upgrading to versions 24.0.7, 36.0.7, 42.0.2, or 43.0.1 mitigates this risk.

Affected Version(s)

wasmtime < 24.0.7 < 24.0.7

wasmtime >= 25.0.0, < 36.0.7 < 25.0.0, 36.0.7

wasmtime >= 37.0.0, < 42.0.2 < 37.0.0, 42.0.2

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35195 Data

JSON