CVE-2026-24116

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24116
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24116.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-24116
Aliases
Downstream
Related
Published
2026-01-27T18:58:52.349Z
Modified
2026-02-01T23:18:04.189327Z
Severity
  • 4.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64
Details

Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime's compilation of the f64.copysign WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it's not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24116.json",
    "cwe_ids": [
        "CWE-125"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/bytecodealliance/wasmtime

Affected ranges

Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
545407736534daa9cbe3bdb8829ef5744429d5c8
Fixed
06ef14387760e52371fb68d4b30baf22fd576075
Database specific 
{
    "versions": [
        {
            "introduced": "29.0.0"
        },
        {
            "fixed": "36.0.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
7b3d6ae79e9153a2477668062f5622c10333925f
Fixed
390241fbf9736f3698f07cf0b0add73b752fe66c
Database specific 
{
    "versions": [
        {
            "introduced": "37.0.0"
        },
        {
            "fixed": "40.0.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3dda916921536c2b5233ec98315b6d05c793a34b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 41.0.0"
        }
    ]
}

Affected versions

cranelift-v0.*
cranelift-v0.60.0
cranelift-v0.61.0
cranelift-v0.69.0
filecheck-v0.*
filecheck-v0.0.1
v0.*
v0.12.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v41.*
v41.0.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24116.json"