FKIE_CVE-2026-24116

Vulnerability from fkie_nvd - Published: 2026-01-27 19:16 - Updated: 2026-02-12 21:36
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.
References
security-advisories@github.comhttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_sizeProduct
security-advisories@github.comhttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_trapsProduct
security-advisories@github.comhttps://docs.wasmtime.dev/stability-release.htmlRelease Notes
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6Patch
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440Patch
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227Patch
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73Patch, Vendor Advisory
security-advisories@github.comhttps://rustsec.org/advisories/RUSTSEC-2026-0006.htmlThird Party Advisory
Impacted products
Vendor Product Version
bytecodealliance wasmtime *
bytecodealliance wasmtime *
bytecodealliance wasmtime *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "BF63410F-0A9C-4D54-B8C1-0C45DE6CAD08",
              "versionEndExcluding": "36.0.5",
              "versionStartIncluding": "29.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "AE2A659B-DE7A-4A50-AD38-4CD5127E735D",
              "versionEndExcluding": "40.0.3",
              "versionStartIncluding": "40.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "6E5187FA-AD56-42FE-9264-169D3FED568A",
              "versionEndExcluding": "41.0.1",
              "versionStartIncluding": "41.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime\u0027s compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it\u0027s possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it\u0027s not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime."
    },
    {
      "lang": "es",
      "value": "Wasmtime es un entorno de ejecuci\u00f3n para WebAssembly. A partir de la versi\u00f3n 29.0.0 y antes de las versiones 36.0.5, 40.0.3 y 41.0.1, en plataformas x86-64 con AVX, la compilaci\u00f3n de Wasmtime de la instrucci\u00f3n WebAssembly f64.copysign con Cranelift puede cargar 8 bytes m\u00e1s de los necesarios. Cuando las trampas basadas en se\u00f1ales est\u00e1n deshabilitadas, esto puede resultar en un segfault no detectado debido a la carga desde p\u00e1ginas de guardia no mapeadas. Con las p\u00e1ginas de guardia deshabilitadas, es posible que se carguen datos fuera de la sandbox, pero a menos que haya otro error en Cranelift, estos datos no son visibles para los invitados de WebAssembly. Wasmtime 36.0.5, 40.0.3 y 41.0.1 han sido lanzadas para solucionar este problema. Se recomienda a los usuarios actualizar a las versiones parcheadas de Wasmtime. Otras versiones afectadas no est\u00e1n parcheadas y los usuarios deber\u00edan actualizar a una versi\u00f3n principal compatible en su lugar. Este error se puede eludir habilitando las trampas basadas en se\u00f1ales. Si bien deshabilitar las p\u00e1ginas de guardia puede ser una soluci\u00f3n r\u00e1pida en algunas situaciones, no se recomienda deshabilitar las p\u00e1ginas de guardia, ya que es una medida clave de defensa en profundidad de Wasmtime."
    }
  ],
  "id": "CVE-2026-24116",
  "lastModified": "2026-02-12T21:36:55.310",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 4.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-27T19:16:16.180",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://docs.wasmtime.dev/stability-release.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0006.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.