CVE-2026-34944
published 2026-04-09CVE-2026-34944: Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the…
PriorityP427medium5.7CVSS 3.1
AVNACLPRLUIRSUCNINAH
EPSS
0.23%
13.4th percentile
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 24.0.7 | 24.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.7 | 36.0.7 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 37.0.0 < 42.0.2 | 42.0.2 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
| bytecodealliance | wasmtime | >= 43.0.0 < 43.0.1 | 43.0.1 |
CVSS provenance
nvdv3.15.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
nvdv4.04.1MEDIUMCVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat4.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64
osv·2026-04-09
CVE-2026-34944 Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv
For more information see the GitHub-hosted security advisory.
GHSA
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
ghsa·2026-04-09
CVE-2026-34944 [MEDIUM] CWE-248 Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the `f64x2.splat` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When [signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps) are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests.
### Details
The `f64x2.splat` operator, when operating on a value loaded from a memory (for example with f64.load), compiles with Cranelift to code on x86-64 without SSE3 that loads 128 bits (16 bytes) rather
VulDB
bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 uncaught exception (GHSA-qqfj-4vcm-26hv)
vuldb·2026-04-09·CVSS 4.1
CVE-2026-34944 [MEDIUM] bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0 uncaught exception (GHSA-qqfj-4vcm-26hv)
A vulnerability, which was classified as problematic, was found in bytecodealliance wasmtime up to 24.0.6/36.0.6/42.0.1/44.0.0. This affects an unknown part. Such manipulation leads to uncaught exception.
This vulnerability is documented as CVE-2026-34944. The attack needs to be performed locally. There is not any exploit available.
You should upgrade the affected component.
OSV
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
osv·2026-04-09
CVE-2026-34944 [MEDIUM] Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the `f64x2.splat` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When [signals-based-traps](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps) are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests.
### Details
The `f64x2.splat` operator, when operating on a value loaded from a memory (for example with f64.load), compiles with Cranelift to code on x86-64 without SSE3 that loads 128 bits (16 bytes) rather
Red Hat
wasmtime: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation
vendor_redhat·2026-04-09·CVSS 4.1
CVE-2026-34944 [MEDIUM] CWE-466 wasmtime: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation
wasmtime: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation
A flaw was found in Wasmtime, a runtime for WebAssembly. On x86-64 platforms with SSE3 disabled, Wasmtime's Cranelift compiler backend may load additional data beyond the intended memory boundary when compiling the 'f64x2.splat' WebAssembly instruction. This out-of-bounds read can lead to a Denial of Service (DoS) through an uncaught segmentation fault if signals-based traps are disabled. While it could also load out-of-sandbox data if guard pages are disabled, this information is not accessible to WebAssembly guests.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deplo
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-34944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-34944 [MEDIUM] CVE-2026-34944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34944 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
Source : NVD
## 4.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 4.1
Affected Technologies
Rust
Linux Debian
Has Public Exploit No
Has CISA KEV Exploi
Bugzilla
CVE-2026-34944 tree-sitter: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation [fedora-all]
bugzilla·2026-04-09·CVSS 4.1
CVE-2026-34944 [MEDIUM] CVE-2026-34944 tree-sitter: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation [fedora-all]
CVE-2026-34944 tree-sitter: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-34944 wasmtime: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation
bugzilla·2026-04-09·CVSS 4.1
CVE-2026-34944 [MEDIUM] CVE-2026-34944 wasmtime: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation
CVE-2026-34944 wasmtime: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
2026-04-09
Published