Stream: git-wasmtime

Topic: wasmtime / issue #13232 Backport CVE-2026-24116 to releas...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 29 2026 at 18:57):

vulgraph opened issue #13232:

Hi — checking on release-27.0.0.

Upstream 728fa071 ("[40.0] Backport Cranelift: x64: fix incorrect load-sinking in copysign operator", CVE-2026-24116) appears not to have made it onto this branch.

Pre-fix fcopysign lowering still present in cranelift/codegen/src/isa/x64/lower.isle (sha a5b3330e):

(rule (lower (has_type $F32 (fcopysign a @ (value_type $F32) b)))
      (let ((sign_bit Xmm (imm $F32 0x80000000)))
        (x64_orps
          (x64_andnps sign_bit a)
          (x64_andps sign_bit b))))

The fix simply forces a and b into XMM registers before the bitwise ops so the f64.load can't sink-and-widen. Two small bindings plus regression tests.

Should I open a backport PR aligned to the upstream commit? Want to confirm the branch is still in scope first.

vulgraph

view this post on Zulip Wasmtime GitHub notifications bot (Apr 29 2026 at 18:59):

cfallin closed issue #13232:

Hi — checking on release-27.0.0.

Upstream 728fa071 ("[40.0] Backport Cranelift: x64: fix incorrect load-sinking in copysign operator", CVE-2026-24116) appears not to have made it onto this branch.

Pre-fix fcopysign lowering still present in cranelift/codegen/src/isa/x64/lower.isle (sha a5b3330e):

(rule (lower (has_type $F32 (fcopysign a @ (value_type $F32) b)))
      (let ((sign_bit Xmm (imm $F32 0x80000000)))
        (x64_orps
          (x64_andnps sign_bit a)
          (x64_andps sign_bit b))))

The fix simply forces a and b into XMM registers before the bitwise ops so the f64.load can't sink-and-widen. Two small bindings plus regression tests.

Should I open a backport PR aligned to the upstream commit? Want to confirm the branch is still in scope first.

vulgraph

view this post on Zulip Wasmtime GitHub notifications bot (Apr 29 2026 at 18:59):

cfallin commented on issue #13232:

Hi @vulgraph -- as has been explained to you several times already (#13220, #13221, #13222), we have documentation on which releases are supported with ongoing patches and which are not. v27 is not supported anymore. Please do not file any more issues about this topic before you review that documentation. Thanks.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 30 2026 at 16:02):

vulgraph commented on issue #13232:

Got it, thanks for the policy clarification. Won't pursue release-27.0.0 further.

Last updated: May 03 2026 at 22:13 UTC