CVE-2026-24116

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 36.0.5 Wasmtime versions 36.0.5 through 40.0.2 Wasmtime versions 40.0.3 through 41.0.0 Wasmtime versions 41.0.1

Description A flaw in Wasmtime's Cranelift compiler can lead to a host-level segmentation fault when processing malicious WebAssembly modules. Specifically, the f64.copysign WebAssembly instruction, when compiled with Cranelift on x86-64 platforms with AVX enabled, may load an excessive amount of data from memory. This can result in an uncaught segfault if signals-based traps are disabled and guard pages are enabled, potentially causing a denial-of-service condition. The issue arises from an incorrect memory load size during compilation, leading to out-of-bounds access. The vulnerability does not affect Wasmtime's default configuration, which has signals-based traps enabled.

Recommendations Upgrade to Wasmtime version 36.0.5 or later. Upgrade to Wasmtime version 40.0.3 or later. Upgrade to Wasmtime version 41.0.1 or later. As a workaround, enable signals-based traps.