Out-of-bounds Read Affecting wasmtime-environ package, versions <24.0.7>=25.0.0 <36.0.7>=37.0.0 <42.0.2>=43.0.0 <43.0.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-WASMTIMEENVIRON-15967276
- published10 Apr 2026
- disclosed9 Apr 2026
- creditShun Kashiwa
Introduced: 9 Apr 2026
NewCVE-2026-34941 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade wasmtime-environ to version 24.0.7, 36.0.7, 42.0.2, 43.0.1 or higher.
Overview
wasmtime-environ is a Standalone environment support for WebAssembly code in Cranelift
Affected versions of this package are vulnerable to Out-of-bounds Read in the string transcoding of a UTF-16 string to the latin1+utf16. An attacker can cause the host process to terminate unexpectedly or potentially access sensitive information by providing a specially crafted UTF-16 string that is incorrectly validated. This is only exploitable if guard pages are disabled.