{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34944", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.660Z", "datePublished": "2026-04-09T18:38:16.182Z", "dateUpdated": "2026-04-13T15:38:40.634Z"}, "containers": {"cna": {"title": "Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64", "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "lang": "en", "description": "CWE-248: Uncaught Exception", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": "< 24.0.7", "status": "affected"}, {"version": ">= 25.0.0, < 36.0.7", "status": "affected"}, {"version": ">= 37.0.0, < 42.0.2", "status": "affected"}, {"version": ">= 43.0.0, < 44.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:38:16.182Z"}, "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1."}], "source": {"advisory": "GHSA-qqfj-4vcm-26hv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:06:23.130132Z", "id": "CVE-2026-34944", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:38:40.634Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:06:23.130132Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:33:31.219Z"}}], "cna": {"title": "Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64", "source": {"advisory": "GHSA-qqfj-4vcm-26hv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"status": "affected", "version": "< 24.0.7"}, {"status": "affected", "version": ">= 25.0.0, < 36.0.7"}, {"status": "affected", "version": ">= 37.0.0, < 42.0.2"}, {"status": "affected", "version": ">= 43.0.0, < 44.0.1"}]}], "references": [{"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv", "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-248", "description": "CWE-248: Uncaught Exception"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T18:38:16.182Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34944", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:38:40.634Z", "dateReserved": "2026-03-31T17:27:08.660Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T18:38:16.182Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "5A39DBFB-CD5E-4551-8885-053DF90E277A", "versionEndExcluding": "24.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "B5AB2157-3977-49F9-9058-6B16A2556170", "versionEndExcluding": "36.0.7", "versionStartIncluding": "25.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "1D7B70EB-93E3-4732-AB70-E6A531178941", "versionEndExcluding": "42.0.2", "versionStartIncluding": "37.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "15FD6AA4-973B-4647-9222-40FBDC16A6FD", "versionEndExcluding": "43.0.1", "versionStartIncluding": "43.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it's possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1."}], "id": "CVE-2026-34944", "lastModified": "2026-04-20T18:27:28.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T19:16:24.187", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-248"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "wasmtime: Wasmtime: Denial of Service due to out-of-bounds read during WebAssembly compilation", "id": "2456996", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456996"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-466", "details": ["A flaw was found in Wasmtime, a runtime for WebAssembly. On x86-64 platforms with SSE3 disabled, Wasmtime's Cranelift compiler backend may load additional data beyond the intended memory boundary when compiling the 'f64x2.splat' WebAssembly instruction. This out-of-bounds read can lead to a Denial of Service (DoS) through an uncaught segmentation fault if signals-based traps are disabled. While it could also load out-of-sandbox data if guard pages are disabled, this information is not accessible to WebAssembly guests."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34944", "package_state": [{"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhcl-1-3-wasm-shim", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "virt-firmware-rs", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-04-09T18:38:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34944\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34944\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.0.0,36.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[37.0.0,42.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[43.0.0,44.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wasmtime", "source": "cna", "vendor": "bytecodealliance"}, "product": "wasmtime", "vendor": "bytecodealliance"}], "analysis": {"en": {"generated_at": "2026-04-10T01:22:31.920971+00:00", "value": {"mitigation_remediation": ["Upgrade Wasmtime to version 24.0.7 or newer (including 36.0.7, 42.0.2, and 43.0.1).", "If upgrading is not immediately possible, re\u2011enable SSE3 on the host or configure Wasmtime to enable signals\u2011based traps.", "Verify that the WebAssembly runtime runs with its default trap handling enabled."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Versions of Wasmtime earlier than 24.0.7, 36.0.7, 42.0.2, or 43.0.1 that run on x86\u201164 processors with SSE3 disabled are affected. These include all releases in the 24, 36, 42, and 43 series before the specified patch points.", "description_and_impact": "When a Wasmtime instance compiles the f64x2.splat WebAssembly instruction on x86\u201164 platforms with SSE3 disabled, Cranelift may generate code that accesses eight additional bytes beyond the intended boundary. If signals\u2011based traps are turned off, this out\u2011of\u2011bounds load can trigger an uncaught segmentation fault, causing the Wasmtime process to crash. Because the accidental load does not expose data to the WebAssembly guest, the flaw does not lead to data disclosure or arbitrary code execution, but it can be used to disrupt service by crashing the runtime.", "risk_and_exploitability": "The CVSS score of 4.1 reflects moderate risk, emphasizing its denial\u2011of\u2011service impact rather than privilege escalation. No EPSS data or KEV listing is available, indicating limited public exploitation. Attackers would need the ability to execute Wasmtime with SSE3 disabled and signals\u2011based traps turned off; triggering the f64x2.splat instruction would then cause a crash. No active exploits have been reported, and the most likely vector is a remote service that intentionally disables SSE3 to run untrusted WebAssembly code."}}}}, "created": "2026-04-10T08:39:17.114033+00:00", "updated": "2026-04-10T09:31:40.792173+00:00", "vendors": ["bytecodealliance", "bytecodealliance$PRODUCT$wasmtime"]}