CNNVD-202601-4468 Information
CNNVD ID
CNNVD-202601-4468
Related CVE
- CNNVD Published: 2026-01-27
Description (Chinese)
wasmtime是Bytecode Alliance开源的一个轻量级WebAssembly运行时。 wasmtime 29.0.0至36.0.5之前版本、40.0.3之前版本和41.0.1之前版本存在缓冲区错误漏洞,该漏洞源于在具有AVX的x86-64平台上,Cranelift对f64.copysign WebAssembly指令的编译可能加载多余字节,可能导致未捕获的分段违规或加载沙箱外数据。
Description (English)
Wasmtime is a lightweight WebAssembly run by Bytecode Alliance. There is an error loophole in the buffer zone before versions 29.0.0 to 36.0.5, before version 40.0.3 and before version 41.01, which stems from the compilation of the Cranerift directive against f64.copysign WebAssembly, which may contain redundant bytes and may lead to uncaptured sub-compliance or loading of data outside the sandbox.
Hazard Level
High
Vulnerability Type
缓冲区错误
Affected Vendor
Bytecode Alliance
Published
2026-01-27
Last Modified
2026-02-24
References
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps https://docs.wasmtime.dev/stability-release.html https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6 https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440 https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73 https://rustsec.org/advisories/RUSTSEC-2026-0006.html
Patch
https://github.com/bytecodealliance/wasmtime/releases
Share on: