CVE Vulnerabilities

CVE-2026-34944

Uncaught Exception

Published: Apr 09, 2026 | Modified: Jun 17, 2026
CVSS 3.x
5.7
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
4.7 MODERATE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtimes compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled its possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests. This vulnerability is fixed in 24.0.7, 36.0.7, 42.0.2, and 43.0.1.

Weakness

An exception is thrown from a function, but it is not caught.

Affected Software

NameVendorStart VersionEnd Version
WasmtimeBytecodealliance*24.0.7 (excluding)
WasmtimeBytecodealliance25.0.0 (including)36.0.7 (excluding)
WasmtimeBytecodealliance37.0.0 (including)42.0.2 (excluding)
WasmtimeBytecodealliance43.0.0 (including)43.0.1 (excluding)
Rust-wasmtimeUbuntuquesting*

References