Memory Access Vulnerability in Wasmtime Runtime by Bytecode Alliance
CVE-2026-34944

4.1MEDIUM

Key Information:

Vendor: Bytecodealliance
Status: Wasmtime
Vendor: CVE Published:; 9 April 2026

🔔 Create Bytecodealliance Vulnerability Alert

What is CVE-2026-34944?

The Wasmtime runtime for WebAssembly, prior to specific version updates, contains a vulnerability on x86-64 platforms when SSE3 is disabled. This flaw occurs during the compilation of the f64x2.splat WebAssembly instruction, potentially causing an unnecessary memory load. If signals-based traps are disabled, it may lead to uncaught segmentation faults when accessing unmapped guard pages. Furthermore, with guard pages disabled, there’s a risk of out-of-sandbox data being accessed, although this data remains invisible to WebAssembly guests. This issue has been addressed in recent versions of Wasmtime.

Affected Version(s)

wasmtime < 24.0.7 < 24.0.7

wasmtime >= 25.0.0, < 36.0.7 < 25.0.0, 36.0.7

wasmtime >= 37.0.0, < 42.0.2 < 37.0.0, 42.0.2

References

https://github.com/bytecodealliance/wasmtime/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34944 Data

JSON