DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34944: CVE-2026-34944: Out-of-bounds Read and Denial of Service in Wasmtime Cranelift Backend

#security #cve #cybersecurity

CVE-2026-34944: Out-of-bounds Read and Denial of Service in Wasmtime Cranelift Backend

Vulnerability ID: CVE-2026-34944
CVSS Score: 4.1
Published: 2026-04-09

An out-of-bounds read vulnerability exists in the Cranelift x86-64 backend of Wasmtime. When SSE3 is disabled, incorrect instruction selection for the f64x2.splat operation results in a widened 16-byte memory load instead of the intended 8-byte load, leading to a process-level segmentation fault and Denial of Service.

TL;DR

Wasmtime instances running on x86-64 with SSE3 disabled are vulnerable to a Denial of Service caused by a compiler bug in Cranelift. The bug fuses an 8-byte load into a 16-byte pshufd instruction, crashing the host via an out-of-bounds read.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-125: Out-of-bounds Read
  • Attack Vector: Local
  • CVSS v4.0: 4.1
  • Impact: Denial of Service (Crash)
  • Prerequisites: SSE3 disabled, Signals-based traps disabled
  • Exploit Status: Proof of Concept

Affected Systems

  • Wasmtime Runtime
  • Cranelift Code Generator (x86-64 backend)
  • Wasmtime: < 24.0.7 (Fixed in: 24.0.7)
  • Wasmtime: >= 25.0.0, < 36.0.7 (Fixed in: 36.0.7)
  • Wasmtime: >= 37.0.0, < 42.0.2 (Fixed in: 42.0.2)
  • Wasmtime: >= 43.0.0, < 44.0.1 (Fixed in: 43.0.1)

Code Analysis

Commit: 96dde3a

Fix out-of-bounds read in Cranelift x86-64 backend (43.0.x branch)

--- a/cranelift/codegen/src/isa/x64/lower.isle
+++ b/cranelift/codegen/src/isa/x64/lower.isle
@@ -1,2 +1,2 @@
 (rule 0 (lower (has_type $F64X2 (splat src)))
-        (x64_pshufd src 0b01_00_01_00))
+        (x64_pshufd (put_in_xmm src) 0b01_00_01_00))
Enter fullscreen mode Exit fullscreen mode

Commit: 9d73a6e

Fix out-of-bounds read in Cranelift x86-64 backend (42.0.x branch)

--- a/cranelift/codegen/src/isa/x64/lower.isle
+++ b/cranelift/codegen/src/isa/x64/lower.isle
@@ -1,2 +1,2 @@
 (rule 0 (lower (has_type $F64X2 (splat src)))
-        (x64_pshufd src 0b01_00_01_00))
+        (x64_pshufd (put_in_xmm src) 0b01_00_01_00))
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update Wasmtime to a patched version (24.0.7, 36.0.7, 42.0.2, or 43.0.1).
  • Ensure SSE3 instruction set extensions are enabled in the host CPU and Wasmtime configuration.
  • Enable signals-based traps in Wasmtime to prevent unhandled segmentation faults.

Remediation Steps:

  1. Identify the current version of Wasmtime deployed in your infrastructure.
  2. Select the appropriate patched release matching your major version branch.
  3. Recompile or reinstall Wasmtime components to apply the patch.
  4. Verify configuration files to ensure signals-based traps are not explicitly disabled.

References

Read the full report for CVE-2026-34944 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)