CVE-2026-24116 Overview
CVE-2026-24116 is an out-of-bounds read vulnerability affecting the Wasmtime WebAssembly runtime. Starting in version 29.0.0, the Cranelift compiler's handling of the f64.copysign WebAssembly instruction on x86-64 platforms with AVX can load 8 more bytes than necessary from memory. This improper memory access occurs due to incorrect load-sinking behavior during compilation, potentially leading to denial of service through segmentation faults or unintended exposure of out-of-sandbox data.
Critical Impact
When signals-based-traps are disabled, this vulnerability can cause uncaught segfaults from unmapped guard pages. With guard pages disabled, it may expose out-of-sandbox memory data.
Affected Products
- Wasmtime versions 29.0.0 through 36.0.4
- Wasmtime versions 37.0.0 through 40.0.2
- Wasmtime versions 41.0.0 through 41.0.0
Discovery Timeline
- 2026-01-27 - CVE CVE-2026-24116 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24116
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read). The flaw resides in Cranelift's x64 instruction lowering code specifically within the fcopysign operation handling. When compiling WebAssembly code containing f64.copysign instructions, the Cranelift compiler incorrectly allows load-sinking optimization to proceed without first forcing operands into registers. This results in 128-bit loads being performed when only 64-bit loads are required, causing an 8-byte over-read beyond the intended memory bounds.
The vulnerability primarily affects x86-64 systems with AVX instruction set support. The impact varies based on the Wasmtime configuration: with signals-based traps enabled (the default), guard pages catch the out-of-bounds access and terminate the process safely. However, when signals-based traps are disabled, the runtime cannot intercept the invalid memory access, resulting in an uncaught segmentation fault. In the most severe configuration where both signals-based traps and guard pages are disabled, the over-read may access data outside the WebAssembly sandbox, though this data would not typically be observable by WebAssembly guests unless another Cranelift bug exists.
Root Cause
The root cause lies in the cranelift/codegen/src/isa/x64/lower.isle file where the lowering rules for fcopysign operations are defined. The original implementation allowed operands a and b to be directly used in the bitwise operations (x64_andnps, x64_andps, x64_orps for 32-bit floats and corresponding pd variants for 64-bit floats) without first forcing them into XMM registers. This permitted the load-sinking optimization to fold memory loads directly into the SIMD instructions, which inherently operate on 128-bit values rather than the 64-bit or 32-bit scalar floating-point values being processed.
Attack Vector
The attack vector is local, requiring the ability to execute WebAssembly modules on a vulnerable Wasmtime instance. An attacker would need to craft a WebAssembly module containing f64.copysign (or f32.copysign) instructions with memory operands positioned to trigger the over-read condition. The exploitation scenario requires:
- A Wasmtime instance running on x86-64 with AVX support
- Signals-based traps disabled via Config::signals_based_traps(false)
- A WebAssembly module with strategically placed f64.copysign operations
The security patch forces operands into registers before use, preventing the problematic load-sinking optimization:
;; Rules for `fcopysign` ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(rule (lower (has_type $F32 (fcopysign a @ (value_type $F32) b)))
- (let ((sign_bit Xmm (imm $F32 0x80000000)))
+ (let ((sign_bit Xmm (imm $F32 0x80000000))
+ (a Xmm a) ;; force into reg so we don't sink a 128-bit load.
+ (b Xmm b))
(x64_orps
(x64_andnps sign_bit a)
(x64_andps sign_bit b))))
(rule (lower (has_type $F64 (fcopysign a @ (value_type $F64) b)))
- (let ((sign_bit Xmm (imm $F64 0x8000000000000000)))
+ (let ((sign_bit Xmm (imm $F64 0x8000000000000000))
+ (a Xmm a) ;; force into reg so we don't sink a 128-bit load.
+ (b Xmm b))
(x64_orpd
(x64_andnpd sign_bit a)
(x64_andpd sign_bit b))))
Source: Wasmtime Commit 728fa07
Detection Methods for CVE-2026-24116
Indicators of Compromise
- Unexpected segmentation faults or process crashes in Wasmtime-based applications on x86-64 AVX systems
- Crash logs indicating memory access violations during WebAssembly module execution
- Core dumps showing faults in Cranelift-compiled code paths related to floating-point copy sign operations
Detection Strategies
- Monitor application logs for segfault signals (SIGSEGV) originating from Wasmtime runtime processes
- Audit Wasmtime configurations to identify instances with signals_based_traps set to false
- Implement version detection to identify Wasmtime installations between 29.0.0 and the patched versions (36.0.5, 40.0.3, 41.0.1)
- Review WebAssembly modules for f64.copysign or f32.copysign instruction usage patterns
Monitoring Recommendations
- Enable crash reporting and analysis for all Wasmtime-powered services to capture potential exploitation attempts
- Implement runtime monitoring for unexpected memory access patterns in WebAssembly execution environments
- Set up alerts for process terminations in production Wasmtime deployments that may indicate triggered segfaults
How to Mitigate CVE-2026-24116
Immediate Actions Required
- Upgrade Wasmtime to patched versions: 36.0.5, 40.0.3, or 41.0.1 depending on your current major version
- If immediate upgrade is not possible, enable signals-based traps by ensuring Config::signals_based_traps(true) is set
- Audit all production Wasmtime configurations to verify guard pages are enabled
- Review any custom Wasmtime configurations that may have disabled default security features
Patch Information
Bytecode Alliance has released security patches across three supported version branches. Users should upgrade to the following versions:
- Version 36.0.5 for the 36.x release line (Wasmtime Commit ac92d9b)
- Version 40.0.3 for the 40.x release line (Wasmtime Commit 728fa07)
- Version 41.0.1 for the 41.x release line (Wasmtime Commit 799585f)
Users on older affected versions (29.0.0 through 35.x, 37.x through 39.x) should migrate to a supported major version as these branches will not receive patches. For complete release information, refer to the Wasmtime Stability Release Notes.
Workarounds
- Enable signals-based traps by calling Config::signals_based_traps(true) - see Wasmtime Config Signals-Based Traps documentation
- Ensure memory guard pages remain enabled (do not set guard size to zero) as documented in Wasmtime Config Memory Guard Size
- Note: While disabling guard pages is mentioned in some workarounds, it is NOT recommended as guard pages are a critical defense-in-depth measure
# Configuration example - ensure signals-based traps are enabled in your Rust code
# let mut config = Config::new();
# config.signals_based_traps(true); // This is the default, but verify it's not disabled
# let engine = Engine::new(&config)?;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
