Main Vulnerability Database Vulnerabilities #VU125753

#VU125753 Out-of-bounds write in Wasmtime - CVE-2026-35195

Published: April 10, 2026

Vulnerability identifier: #VU125753

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35195

CWE-ID: CWE-787

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Wasmtime

Software vendor:
Bytecode Alliance

Description

The vulnerability allows a remote user to cause a denial of service or corrupt memory.

The vulnerability exists due to out-of-bounds write in the component model string transcoding implementation when processing a guest component's realloc return value during string transcoding. A remote user can provide a crafted realloc result to cause a denial of service or corrupt memory.

By default, exploitation typically causes the process to abort due to an unhandled fault, but configurations with reduced reserved memory or removed guard pages may allow corruption outside a guest's linear memory.

Remediation

Install security update from vendor's website.

External links

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm

#VU125753 Out-of-bounds write in Wasmtime - CVE-2026-35195

Description

Remediation

External links

Please verify you're human