CVE-2026-34944

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1

Description Wasmtime, a runtime for WebAssembly, may experience an uncaught segfault on x86-64 platforms with SSE3 disabled when compiling the f64x2.splat WebAssembly instruction with Cranelift. This occurs when signals-based-traps are disabled, potentially leading to a denial-of-service condition. The issue involves loading 8 more bytes than necessary, which can result in loading from unmapped guard pages. While the loaded data is not directly visible to WebAssembly guests, disabling signals-based-traps and enabling guard pages can cause the host process to terminate.

Recommendations Update to Wasmtime version 24.0.7, 36.0.7, 42.0.2, or 43.0.1.