CVE-2026-34942— wasmtime 输入验证错误漏洞

Wasmtime panics when transcoding misaligned utf-16 strings

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This panic is possible to trigger from malicious guests which transfer very specific strings across components with specific addresses. Host panics are considered a DoS vector in Wasmtime as the panic conditions are controlled by the guest in this situation. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

N/A

对数组索引的验证不恰当

wasmtime 输入验证错误漏洞

wasmtime是Bytecode Alliance开源的一个轻量级WebAssembly运行时。 Wasmtime 24.0.7之前版本、36.0.7之前版本、42.0.2之前版本和43.0.1之前版本存在输入验证错误漏洞，该漏洞源于将字符串转码到组件模型的utf16或latin1+utf16编码时，未正确验证重新分配字符串的对齐方式，可能导致传递未对齐指针给主机进行转码，从而触发主机恐慌，构成拒绝服务向量。

N/A

N/A