Source: rust-wasmtime Version: 29.0.1+dfsg-5 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-wasmtime. CVE-2026-24116[0]: | Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 | and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms | with AVX, Wasmtime's compilation of the `f64.copysign` WebAssembly | instruction with Cranelift may load 8 more bytes than is necessary. | When signals-based-traps are disabled this can result in a uncaught | segfault due to loading from unmapped guard pages. With guard pages | disabled it's possible for out-of-sandbox data to be loaded, but | unless there is another bug in Cranelift this data is not visible to | WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been | released to fix this issue. Users are recommended to upgrade to the | patched versions of Wasmtime. Other affected versions are not | patched and users should updated to supported major version instead. | This bug can be worked around by enabling signals-based-traps. While | disabling guard pages can be a quick fix in some situations, it's | not recommended to disabled guard pages as it is a key defense-in- | depth measure of Wasmtime. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24116 https://www.cve.org/CVERecord?id=CVE-2026-24116 [1] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73 [2] https://rustsec.org/advisories/RUSTSEC-2026-0006.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
