Description
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.
Published: 2026-01-27
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Crash)
Action: Upgrade Now
AI Analysis

Impact

This flaw occurs in the Wasmtime runtime when compiling the WebAssembly instruction f64.copysign on x86‑64 machines that support AVX. The generated code may load eight bytes beyond the intended operand, which can trigger an uncaught segfault if signals‑based‑traps are disabled, or may cause data from outside the sandbox to be read when guard pages are disabled. The crash represents a denial‑of‑service attack; the out‑of‑bounds read does not leak guest memory because the extra load is not visible to WebAssembly modules, making it a classic out‑of‑bounds read weakness (CWE‑125).

Affected Systems

The issue applies to the bytecodealliance Wasmtime runtime on x86‑64 platforms with AVX support. Vulnerable versions span from 29.0.0 up to, but not including, the patched releases 36.0.5, 40.0.3, and 41.0.1. Users should update to one of those releases or to a later major version that contains the fix.

Risk and Exploitability

With a CVSS score of 4.1 the severity is low, and an EPSS score of less than 1 % indicates a very low probability of exploitation. The defect causes a process crash rather than allowing remote code execution or memory disclosure; thus the overall risk is mild. No CISA KEV listing is present. The attack vector is local—any component that feeds WebAssembly code into Wasmtime can trigger the failure if signals‑based‑traps are disabled or guard pages are turned off.

Generated by OpenCVE AI on April 18, 2026 at 01:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to at least version 36.0.5 for the current major line, or to 40.0.3 or 41.0.1; any newer release includes the fix.
  • If upgrading cannot be performed immediately, enable signals‑based‑traps in the Wasmtime configuration to avoid the segfault.
  • Avoid disabling guard pages, as they are a critical defense‑in‑depth measure preventing out‑of‑sandbox reads.

Generated by OpenCVE AI on April 18, 2026 at 01:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vc8c-j3xm-xj73 Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
History

Thu, 12 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Tue, 27 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.
Title Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T19:23:09.391Z

Reserved: 2026-01-21T18:38:22.472Z

Link: CVE-2026-24116

cve-icon Vulnrichment

Updated: 2026-01-27T19:22:59.924Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T19:16:16.180

Modified: 2026-02-12T21:36:55.310

Link: CVE-2026-24116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses