CVE-2026-34944
- Source
- https://cve.org/CVERecord?id=CVE-2026-34944
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34944.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-34944
- Aliases
- Downstream
- Related
- Published
- 2026-04-09T18:38:16.182Z
- Modified
- 2026-05-28T18:29:28.836958963Z
- Severity
-
- 4.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
- Details
-
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
- Database specific
{ "cwe_ids": [ "CWE-248" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34944.json", "cna_assigner": "GitHub_M" }- References