DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24116: CVE-2026-24116: The Greedy Fetch - Crashing Wasmtime with AVX Optimizations

#security #cve #cybersecurity

CVE-2026-24116: The Greedy Fetch - Crashing Wasmtime with AVX Optimizations

Vulnerability ID: CVE-2026-24116
CVSS Score: 7.5
Published: 2026-01-27

A critical code generation flaw in Wasmtime's Cranelift compiler allows malicious WebAssembly modules to trigger host-level segmentation faults. By exploiting AVX instruction folding optimizations, an attacker can force the CPU to read out-of-bounds memory, leading to immediate Denial of Service.

TL;DR

The Cranelift compiler got too aggressive with AVX optimizations on x86-64. It implemented scalar floating-point copysign operations using 128-bit vector instructions without realizing those instructions always fetch 16 bytes from memory. If a guest places a float at the edge of a memory page, the host CPU over-reads into the guard page, crashing the runtime.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-125 (Out-of-bounds Read)
  • Attack Vector: Local (Guest Wasm Module)
  • CVSS: 7.5 (High)
  • Architecture: x86-64 + AVX
  • Impact: Denial of Service (Host Crash)
  • Component: Cranelift ISLE

Affected Systems

  • Wasmtime Runtime (x86-64 with AVX)
  • Cranelift Compiler Backend
  • Rust applications embedding Wasmtime
  • Wasmtime: = 41.0.0 (Fixed in: 41.0.1)
  • Wasmtime: >= 40.0.0 < 40.0.3 (Fixed in: 40.0.3)
  • Wasmtime: <= 39.x.x (Fixed in: 36.0.5)

Code Analysis

Commit: 799585f

Fix incorrect ISLE optimization for AVX copysign

--- a/cranelift/codegen/src/isa/x64/inst.isle
+++ b/cranelift/codegen/src/isa/x64/inst.isle
@@ -123,7 +123,7 @@
 (rule (lower (has_type $F64 (fcopysign a @ (value_type $F64) b)))
-      (x64_orpd (x64_andnpd (imm $F64 0x8000000000000000) a) 
-                (x64_andpd (imm $F64 0x8000000000000000) b)))
+      (let ((sign_bit Xmm (imm $F64 0x8000000000000000))
+            (a Xmm a)
+            (b Xmm b))
+        (x64_orpd (x64_andnpd sign_bit a) (x64_andpd sign_bit b))))
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal: Constructed PoC requiring manual memory alignment of float values to page boundaries.

Mitigation Strategies

  • Update Wasmtime runtime immediately.
  • Disable AVX support in the compiler configuration (temporary workaround).
  • Ensure signal-based trap handling is enabled (default) to catch some crash vectors.

Remediation Steps:

  1. Identify systems running Wasmtime with Cranelift backend on x86-64.
  2. Check current version against the vulnerability matrix (41.0.0, 40.0.x affected).
  3. Upgrade to version 41.0.1, 40.0.3, or 36.0.5.
  4. Restart the Wasmtime services.

References

Read the full report for CVE-2026-24116 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)