wasmtime / issue #13233 release-28.0.0: missing CVE-2026-... · git-wasmtime

Stream: git-wasmtime

Topic: wasmtime / issue #13233 release-28.0.0: missing CVE-2026-...

Wasmtime GitHub notifications bot (Apr 29 2026 at 18:58):

Looking at release-28.0.0 for the CVE-2026-24116 backport (upstream 728fa071). It doesn't appear to have landed.

check path branch sha post-fix marker present?

force-reg binding cranelift/codegen/src/isa/x64/lower.isle ab44d23a no

disas regression tests/disas/f64-copysign.wat — no (file absent)

wast regression tests/misc_testsuite/f64-copysign.wast — no (file absent)

The vulnerable fcopysign rules are still the original two-let form (only sign_bit), and the comment force into reg so we don't sink a 128-bit load. doesn't appear in the file. So this is the pre-fix code path, not just a rename.

Happy to prepare the backport — it's effectively 4 lines in lower.isle plus the two test files. Just want to confirm release-28.0.0 is still receiving security fixes.

— vulgraph

check	path	branch sha	post-fix marker present?
force-reg binding	`cranelift/codegen/src/isa/x64/lower.isle`	`ab44d23a`	no
disas regression	`tests/disas/f64-copysign.wat`	—	no (file absent)
wast regression	`tests/misc_testsuite/f64-copysign.wast`	—	no (file absent)

Wasmtime GitHub notifications bot (Apr 29 2026 at 19:01):

cfallin closed issue #13233:

Looking at release-28.0.0 for the CVE-2026-24116 backport (upstream 728fa071). It doesn't appear to have landed.

check path branch sha post-fix marker present?

force-reg binding cranelift/codegen/src/isa/x64/lower.isle ab44d23a no

disas regression tests/disas/f64-copysign.wat — no (file absent)

wast regression tests/misc_testsuite/f64-copysign.wast — no (file absent)

The vulnerable fcopysign rules are still the original two-let form (only sign_bit), and the comment force into reg so we don't sink a 128-bit load. doesn't appear in the file. So this is the pre-fix code path, not just a rename.

Happy to prepare the backport — it's effectively 4 lines in lower.isle plus the two test files. Just want to confirm release-28.0.0 is still receiving security fixes.

— vulgraph

check	path	branch sha	post-fix marker present?
force-reg binding	`cranelift/codegen/src/isa/x64/lower.isle`	`ab44d23a`	no
disas regression	`tests/disas/f64-copysign.wat`	—	no (file absent)
wast regression	`tests/misc_testsuite/f64-copysign.wast`	—	no (file absent)

Wasmtime GitHub notifications bot (Apr 29 2026 at 19:01):

cfallin commented on issue #13233:

Yet again (previously: #13220, #13221, #13222, #13232), we only support LTS's and two most recent releases. v28 is not supported, sorry. Please do not file any more issues before referring to our documentation on this topic.

Wasmtime GitHub notifications bot (Apr 30 2026 at 16:09):

vulgraph commented on issue #13233:

Acknowledged the support policy — release-28.0.0 is outside that window. No further action.

Last updated: May 03 2026 at 22:13 UTC