CVE-2026-34944

Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64

Assigner: GitHub_M
Reserved: 31.03.2026 Published: 09.04.2026 Updated: 09.04.2026

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 4.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	bytecodealliance
Product	wasmtime
Versions	Version < 24.0.7 is affected Version >= 25.0.0, < 36.0.7 is affected Version >= 37.0.0, < 42.0.2 is affected Version >= 43.0.0, < 44.0.1 is affected

Vendor

bytecodealliance

Product

wasmtime

Versions

Version < 24.0.7 is affected
Version >= 25.0.0, < 36.0.7 is affected
Version >= 37.0.0, < 42.0.2 is affected
Version >= 43.0.0, < 44.0.1 is affected

References

Problem Types

CWE-248: Uncaught Exception CWE

CVE-2026-34944 PUBLISHED

Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64

Metrics

Product Status

References

Problem Types