Wasmtime GitHub notifications bot (Apr 28 2026 at 09:52): Wasmtime GitHub notifications bot (Apr 28 2026 at 09:52):vulgraph opened issue #13221:
CVE-2026-24116 /
728fa071— Cranelift x64: fix incorrect load-sinking incopysign— looks unbackported onrelease-26.0.0.Quick checks against
cranelift/codegen/src/isa/x64/lower.isle(file sha40a7d7de):
- the
fcopysignlowering rules still bind onlysign_bit; they don't add(a Xmm a)/(b Xmm b)to force the operands into registers- the source comment
force into reg so we don't sink a 128-bit load.is absent- no
tests/disas/f64-copysign.wat/tests/misc_testsuite/f64-copysign.wastregression tests on this branchThe pre-fix codegen is what triggers the segfault (16-byte read instead of 8) when running without signal-based traps. Is
release-26.0.0still receiving security backports? I can prep the cherry-pick — diff is small.— vulgraph
Wasmtime GitHub notifications bot (Apr 28 2026 at 09:57):tschneidereit closed issue #13221:
CVE-2026-24116 /
728fa071— Cranelift x64: fix incorrect load-sinking incopysign— looks unbackported onrelease-26.0.0.Quick checks against
cranelift/codegen/src/isa/x64/lower.isle(file sha40a7d7de):
- the
fcopysignlowering rules still bind onlysign_bit; they don't add(a Xmm a)/(b Xmm b)to force the operands into registers- the source comment
force into reg so we don't sink a 128-bit load.is absent- no
tests/disas/f64-copysign.wat/tests/misc_testsuite/f64-copysign.wastregression tests on this branchThe pre-fix codegen is what triggers the segfault (16-byte read instead of 8) when running without signal-based traps. Is
release-26.0.0still receiving security backports? I can prep the cherry-pick — diff is small.— vulgraph
Wasmtime GitHub notifications bot (Apr 28 2026 at 09:57):tschneidereit commented on issue #13221:
You're correct: this fix is not being backported to 26, as that's not a supported release anymore. At the current time, version 36 is the oldest supported release. And while we appreciate the offer to do the backport, the real work is doing the release itself, which would necessarily have to be done by a maintainer. Additionally, we'd want to either backport all applicable fixes, or none, since publishing releases with just some known vulnerabilities fixed doesn't help anyone.
As such, I'll go and close this.
Wasmtime GitHub notifications bot (Apr 28 2026 at 10:32):tschneidereit commented on issue #13221:
(I just saw that I was incorrect about 36 being the oldest supported release, as 24 is an LTS with support until August. Apologies!)
Wasmtime GitHub notifications bot (Apr 30 2026 at 16:07):vulgraph commented on issue #13221:
Acknowledged — release-26.0.0 is past the support window per your policy. Closing on my end, thanks.
Last updated: May 03 2026 at 22:13 UTC