CVE-2026-24116 — Out-of-bounds Read in Wasmtime

CWE-125 — Out-of-bounds Read7 documents5 sources

Severity

4.1MEDIUMNVD

EPSS

0.0%

top 99.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedJan 27

Description

Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug i…

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDbytecodealliance/wasmtime29.0.0 — 36.0.5+2

▶crates.iobytecodealliance/wasmtime29.0.0 — 36.0.5+2

▶debiandebian/rust-wasmtime

▶CVEListV5bytecodealliance/wasmtime= 41.0.0, >= 29.0.0, < 36.0.5, >= 37.0.0, < 40.0.3+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-24116: Wasmtime is a runtime for WebAssembly↗2026-01-27

▶

OSV

Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64↗2026-01-27

▶

GHSA

Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64↗2026-01-27

▶

OSV

Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64↗2026-01-26

▶

📋Vendor Advisories

Debian

CVE-2026-24116: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to v...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24116 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶