CVE-2026-24116

EPSS 0.02%
Veröffentlicht 27.01.2026 18:58:52
Zuletzt bearbeitet 29.01.2026 16:31:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerbytecodealliance

≫

Produkt wasmtime

Version >= 29.0.0, < 36.0.5

Status affected

Version >= 37.0.0, < 40.0.3

Status affected

Version = 41.0.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.027

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.1	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://docs.wasmtime.dev/stability-release.html

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73

https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6

https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440

https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227

https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size

https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps

https://rustsec.org/advisories/RUSTSEC-2026-0006.html

https://nvd.nist.gov/vuln/detail/CVE-2026-24116

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24116

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24116

EUVD