CVE-2026-24116
published 2026-01-27CVE-2026-24116: Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's…
PriorityP423medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.21%
11.7th percentile
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 29.0.0 < 36.0.5 | 36.0.5 |
| bytecodealliance | wasmtime | >= 29.0.0 < 36.0.5 | 36.0.5 |
| bytecodealliance | wasmtime | >= 37.0.0 < 40.0.3 | 40.0.3 |
| bytecodealliance | wasmtime | >= 40.0.0 < 40.0.3 | 40.0.3 |
| bytecodealliance | wasmtime | >= 41.0.0 < 41.0.1 | 41.0.1 |
| bytecodealliance | wasmtime | >= 41.0.0 < 41.0.1 | 41.0.1 |
| debian | rust-wasmtime | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.04.1MEDIUMCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv4.1MEDIUM
vendor_debian4.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-24116: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to v...
vendor_debian·2026·CVSS 4.1
CVE-2026-24116 [MEDIUM] CVE-2026-24116: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to v...
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version inst
OSV
CVE-2026-24116: Wasmtime is a runtime for WebAssembly
osv·2026-01-27·CVSS 4.1
CVE-2026-24116 [MEDIUM] CVE-2026-24116: Wasmtime is a runtime for WebAssembly
Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version inst
OSV
Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
osv·2026-01-27
CVE-2026-24116 [MEDIUM] Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
On x86-64 platforms with AVX Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When [signals-based-traps] are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests.
### Details
The `f64.copysign` operator, when operating on a value loaded from a memory (for example with `f64.load`), compiles with Cranelift to code on x86-64 with AVX that loads 128 bits (16 bytes) rather than the expected 64 bits (8 bytes) from memory. When the
GHSA
Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
ghsa·2026-01-27
CVE-2026-24116 [MEDIUM] CWE-125 Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
On x86-64 platforms with AVX Wasmtime's compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When [signals-based-traps] are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests.
### Details
The `f64.copysign` operator, when operating on a value loaded from a memory (for example with `f64.load`), compiles with Cranelift to code on x86-64 with AVX that loads 128 bits (16 bytes) rather than the expected 64 bits (8 bytes) from memory. When the
OSV
Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64
osv·2026-01-26
CVE-2026-24116 Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64
Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73
For more information see the GitHub-hosted security advisory.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-24116 tree-sitter: Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64 [fedora-42]
bugzilla·2026-01-28·CVSS 4.1
CVE-2026-24116 [MEDIUM] CVE-2026-24116 tree-sitter: Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64 [fedora-42]
CVE-2026-24116 tree-sitter: Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64 [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a cu
Wiz
CVE-2026-24116 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-24116 [MEDIUM] CVE-2026-24116 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24116 :
Rust vulnerability analysis and mitigation
f64.copysign
Source : NVD
## 4.1
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 4.1
Affected Technologies
Rust
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wizer
yara-x
Sources
NVD
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 13, 2026
Chainguard Has Fix Added at: Jan 28, 2026
Debian 14 Severity MEDIUM No Fix Added at: Jan 28, 2026
Rust Severity MEDIUM Has Fix Added at: Jan 27, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 15, 2026
Nix Severity MEDIUM Has Fix Added at: Feb 15, 2026
Wolfi Has Fix Added at:
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_sizehttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_trapshttps://docs.wasmtime.dev/stability-release.htmlhttps://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73https://rustsec.org/advisories/RUSTSEC-2026-0006.html
2026-01-27
Published