DEBIAN-CVE-2026-34944

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-34944
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34944.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-34944
Upstream
Published
2026-04-09T19:16:24.187Z
Modified
2026-04-24T17:04:58.478784Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

References

Affected packages

Debian:13 / rust-wasmtime

Package

Name
rust-wasmtime
Purl
pkg:deb/debian/rust-wasmtime?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

26.*
26.0.1+dfsg-3
26.0.1+dfsg-4
26.0.1+dfsg-5
26.0.1+dfsg-6
26.0.1+dfsg-7
26.0.1+dfsg-8
26.0.1+dfsg-9
26.0.1+dfsg-10
27.*
27.0.0+dfsg-2
27.0.0+dfsg-3
27.0.0+dfsg-4
28.*
28.0.1+dfsg-1
28.0.1+dfsg-2
28.0.1+dfsg-3
29.*
29.0.1+dfsg-1
29.0.1+dfsg-2
29.0.1+dfsg-3
29.0.1+dfsg-4
29.0.1+dfsg-5
29.0.1+dfsg-6
29.0.1+dfsg-7
29.0.1+dfsg-8
36.*
36.0.5+dfsg-1
36.0.5+dfsg-2
36.0.5+dfsg-3
36.0.5+dfsg-4
36.0.5+dfsg-5
36.0.6+dfsg-1
36.0.6+dfsg-2
36.0.6+dfsg-3
36.0.6+dfsg-4
36.0.6+dfsg-5
36.0.6+dfsg-6
36.0.6+dfsg-7
36.0.7+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34944.json"

Debian:14 / rust-wasmtime

Package

Name
rust-wasmtime
Purl
pkg:deb/debian/rust-wasmtime?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

26.*
26.0.1+dfsg-3
26.0.1+dfsg-4
26.0.1+dfsg-5
26.0.1+dfsg-6
26.0.1+dfsg-7
26.0.1+dfsg-8
26.0.1+dfsg-9
26.0.1+dfsg-10
27.*
27.0.0+dfsg-2
27.0.0+dfsg-3
27.0.0+dfsg-4
28.*
28.0.1+dfsg-1
28.0.1+dfsg-2
28.0.1+dfsg-3
29.*
29.0.1+dfsg-1
29.0.1+dfsg-2
29.0.1+dfsg-3
29.0.1+dfsg-4
29.0.1+dfsg-5
29.0.1+dfsg-6
29.0.1+dfsg-7
29.0.1+dfsg-8
36.*
36.0.5+dfsg-1
36.0.5+dfsg-2
36.0.5+dfsg-3
36.0.5+dfsg-4
36.0.5+dfsg-5
36.0.6+dfsg-1
36.0.6+dfsg-2
36.0.6+dfsg-3
36.0.6+dfsg-4
36.0.6+dfsg-5
36.0.6+dfsg-6
36.0.6+dfsg-7
36.0.7+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34944.json"