CVE-2026-34944: Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64

April 9, 2026

On x86-64 platforms with SSE3 disabled Wasmtime’s compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it’s possible for out-of-sandbox data to be loaded, but this data is not visible to WebAssembly guests.

References

github.com/advisories/GHSA-qqfj-4vcm-26hv
github.com/bytecodealliance/wasmtime
github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv
nvd.nist.gov/vuln/detail/CVE-2026-34944

Code Behaviors & Features

Detect and mitigate CVE-2026-34944 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →