CVE-2026-24116

Jan. 27, 2026, 7:16 p.m.

4.1
Medium

Description

Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.

Product(s) Impacted

Vendor Product Versions
Wasmtime
  • Wasmtime
  • 29.0.0-36.0.4, 40.0.3, 41.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wasmtime wasmtime 29.0.0-36.0.4 / / / / / / /
a wasmtime wasmtime 40.0.3 / / / / / / /
a wasmtime wasmtime 41.0.1 / / / / / / /

References

https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps
https://docs.wasmtime.dev/stability-release.html
https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6
https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440
https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73
https://rustsec.org/advisories/RUSTSEC-2026-0006.html

Tags

[email protected]
CWE-125
2026-01-27
CVE-2026-24116

CVSS Score

4.1 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: ACTIVE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Jan. 27, 2026, 7:16 p.m.
Last Modified: Jan. 27, 2026, 7:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.