Stream: git-wasmtime

Topic: wasmtime / issue #13222 release 29.0.0: CVE-2026-24116 (C...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 28 2026 at 12:31):

vulgraph opened issue #13222:

On release-29.0.0, CVE-2026-24116 / 728fa071 hasn't been picked up. The vulnerability is the x64 fcopysign lowering allowing an f64.load to sink in and widen to a 128-bit read, which can segfault when Wasmtime runs without signals-based traps.

cranelift/codegen/src/isa/x64/lower.isle (sha ab44d23a) still has the original fcopysign rules with no Xmm-coercion of a / b and no force into reg so we don't sink a 128-bit load. comment. The regression tests tests/disas/f64-copysign.wat and tests/misc_testsuite/f64-copysign.wast introduced upstream are also absent.

If release-29.0.0 is in scope for security backports, the cherry-pick is small (4 lines plus tests) — I can put up the PR.

Thanks,
vulgraph

view this post on Zulip Wasmtime GitHub notifications bot (Apr 28 2026 at 14:17):

alexcrichton closed issue #13222:

On release-29.0.0, CVE-2026-24116 / 728fa071 hasn't been picked up. The vulnerability is the x64 fcopysign lowering allowing an f64.load to sink in and widen to a 128-bit read, which can segfault when Wasmtime runs without signals-based traps.

cranelift/codegen/src/isa/x64/lower.isle (sha ab44d23a) still has the original fcopysign rules with no Xmm-coercion of a / b and no force into reg so we don't sink a 128-bit load. comment. The regression tests tests/disas/f64-copysign.wat and tests/misc_testsuite/f64-copysign.wast introduced upstream are also absent.

If release-29.0.0 is in scope for security backports, the cherry-pick is small (4 lines plus tests) — I can put up the PR.

Thanks,
vulgraph

view this post on Zulip Wasmtime GitHub notifications bot (Apr 28 2026 at 14:17):

alexcrichton commented on issue #13222:

See https://github.com/bytecodealliance/wasmtime/issues/13220 and https://github.com/bytecodealliance/wasmtime/issues/13221. You can read more about our release process here: https://docs.wasmtime.dev/stability-release.html

view this post on Zulip Wasmtime GitHub notifications bot (Apr 30 2026 at 17:03):

vulgraph commented on issue #13222:

Thanks for the cross-link to the policy explanation in the sister thread — got it, no further action needed here. Closing.

Last updated: May 03 2026 at 22:13 UTC