Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on...

4.1 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.

Basic Information

ID CVE-2026-24116

Source GitHub_M

Published Jan 27, 2026 at 18:58

Modified Jan 27, 2026 at 19:23

Affected Product

Vendor bytecodealliance

Product wasmtime

Version >= 29.0.0, < 36.0.5

Affected Versions bytecodealliance wasmtime >= 29.0.0, < 36.0.5
bytecodealliance wasmtime >= 37.0.0, < 40.0.3
bytecodealliance wasmtime = 41.0.0

CWE Classification

CWE-125

References

{
    "lastseen": "",
    "description": "Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.",
    "published": "2026-01-27T18:58:52.349Z",
    "modified": "2026-01-27T19:23:09.391Z",
    "type": "cve",
    "title": "Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64",
    "source": "GitHub_M",
    "references": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73\nhttps://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6\nhttps://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440\nhttps://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227\nhttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size\nhttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps\nhttps://docs.wasmtime.dev/stability-release.html\nhttps://rustsec.org/advisories/RUSTSEC-2026-0006.html",
    "id": "CVE-2026-24116",
    "bulletinFamily": "",
    "cwe": [
        "CWE-125"
    ],
    "cvelist": null,
    "sourceData": "bytecodealliance wasmtime >= 29.0.0, < 36.0.5\nbytecodealliance wasmtime >= 37.0.0, < 40.0.3\nbytecodealliance wasmtime = 41.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "wasmtime",
    "version": ">= 29.0.0, < 36.0.5",
    "vendor": "bytecodealliance",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64_CVE-2026-24116