Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Published: 2026-04-09
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

When a Wasmtime instance compiles the f64x2.splat WebAssembly instruction on x86‑64 platforms with SSE3 disabled, Cranelift may generate code that accesses eight additional bytes beyond the intended boundary. If signals‑based traps are turned off, this out‑of‑bounds load can trigger an uncaught segmentation fault, causing the Wasmtime process to crash. Because the accidental load does not expose data to the WebAssembly guest, the flaw does not lead to data disclosure or arbitrary code execution, but it can be used to disrupt service by crashing the runtime.

Affected Systems

Versions of Wasmtime earlier than 24.0.7, 36.0.7, 42.0.2, or 43.0.1 that run on x86‑64 processors with SSE3 disabled are affected. These include all releases in the 24, 36, 42, and 43 series before the specified patch points.

Risk and Exploitability

The CVSS score of 4.1 reflects moderate risk, emphasizing its denial‑of‑service impact rather than privilege escalation. No EPSS data or KEV listing is available, indicating limited public exploitation. Attackers would need the ability to execute Wasmtime with SSE3 disabled and signals‑based traps turned off; triggering the f64x2.splat instruction would then cause a crash. No active exploits have been reported, and the most likely vector is a remote service that intentionally disables SSE3 to run untrusted WebAssembly code.

Generated by OpenCVE AI on April 10, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 24.0.7 or newer (including 36.0.7, 42.0.2, and 43.0.1).
  • If upgrading is not immediately possible, re‑enable SSE3 on the host or configure Wasmtime to enable signals‑based traps.
  • Verify that the WebAssembly runtime runs with its default trap handling enabled.

Generated by OpenCVE AI on April 10, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qqfj-4vcm-26hv Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
History

Mon, 20 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-466
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Title Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
Weaknesses CWE-248
References
Metrics cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:38:40.634Z

Reserved: 2026-03-31T17:27:08.660Z

Link: CVE-2026-34944

cve-icon Vulnrichment

Updated: 2026-04-13T15:33:31.219Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T19:16:24.187

Modified: 2026-04-20T18:27:28.147

Link: CVE-2026-34944

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T18:38:16Z

Links: CVE-2026-34944 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:40Z

Weaknesses