CVE-2026-24116 (GCVE-0-2026-24116)
Vulnerability from cvelistv5
Published
2026-01-27 18:58
Modified
2026-01-27 19:23
Severity ?
4.1 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE
Summary
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.
References
Impacted products
Vendor Product Version
bytecodealliance wasmtime Version: >= 29.0.0, < 36.0.5
Version: >= 37.0.0, < 40.0.3
Version: = 41.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24116",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T19:22:29.285417Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T19:23:09.391Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 29.0.0, \u003c 36.0.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 37.0.0, \u003c 40.0.3"
            },
            {
              "status": "affected",
              "version": "= 41.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime\u0027s compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it\u0027s possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it\u0027s not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-27T18:58:52.349Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227"
        },
        {
          "name": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size"
        },
        {
          "name": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps"
        },
        {
          "name": "https://docs.wasmtime.dev/stability-release.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.wasmtime.dev/stability-release.html"
        },
        {
          "name": "https://rustsec.org/advisories/RUSTSEC-2026-0006.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rustsec.org/advisories/RUSTSEC-2026-0006.html"
        }
      ],
      "source": {
        "advisory": "GHSA-vc8c-j3xm-xj73",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24116",
    "datePublished": "2026-01-27T18:58:52.349Z",
    "dateReserved": "2026-01-21T18:38:22.472Z",
    "dateUpdated": "2026-01-27T19:23:09.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24116\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-27T19:22:29.285417Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-27T19:22:59.924Z\"}}], \"cna\": {\"title\": \"Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64\", \"source\": {\"advisory\": \"GHSA-vc8c-j3xm-xj73\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bytecodealliance\", \"product\": \"wasmtime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 29.0.0, \u003c 36.0.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 37.0.0, \u003c 40.0.3\"}, {\"status\": \"affected\", \"version\": \"= 41.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73\", \"name\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6\", \"name\": \"https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440\", \"name\": \"https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227\", \"name\": \"https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size\", \"name\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps\", \"name\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.wasmtime.dev/stability-release.html\", \"name\": \"https://docs.wasmtime.dev/stability-release.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://rustsec.org/advisories/RUSTSEC-2026-0006.html\", \"name\": \"https://rustsec.org/advisories/RUSTSEC-2026-0006.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime\u0027s compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it\u0027s possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it\u0027s not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125: Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-27T18:58:52.349Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24116\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-27T19:23:09.391Z\", \"dateReserved\": \"2026-01-21T18:38:22.472Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-27T18:58:52.349Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.