CVE-2026-34944
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.
| CWE | CWE-248 |
| Vendor | bytecodealliance |
| Product | wasmtime |
| Published | Apr 9, 2026 |
| Last Updated | Apr 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for bytecodealliance wasmtime
Be the first to know when new unknown vulnerabilities affecting bytecodealliance wasmtime are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
bytecodealliance / wasmtime
< 24.0.7 >= 25.0.0, < 36.0.7 >= 37.0.0, < 42.0.2 >= 43.0.0, < 44.0.1