### Vulnerability Key Information #### Vulnerability Title Wasmtime segfault or unused out-of-sandbox load with `f64.copysign` operator on x86-64 #### Vulnerability ID GHSA-vc8c-j3xm-xj73 #### Affected Versions >= 29.0.0 #### Fixed Versions 36.0.5, 40.0.3, 41.0.1 #### Vulnerability Description On x86-64 platforms, when Wasmtime is compiled with AVX, Cranelift may load 8 extra bytes more than necessary when compiling the `f64.copysign` WebAssembly instruction. If signal-based traps are disabled, this may result in an uncaught segmentation fault, as data is loaded from unmapped guard pages. When guard pages are disabled, data outside the sandbox may be loaded, but unless there are other vulnerabilities in Cranelift, this data is not visible to the WebAssembly client. #### Vulnerability Details The `f64.copysign` operator, when loading a value from memory using `f64.load`, causes Cranelift to compile a 128-bit (16-byte) load instead of the expected 64-bit (8-byte) load when AVX is enabled on x86-64. This can result in loading up to 8 extra bytes beyond the memory boundary, if the address is within the correct range but the load is incorrectly 16 bytes instead of 8. This leads to three different behaviors depending on Wasmtime's configuration: 1. If guard pages are disabled, the extra data is loaded. This data resides in the upper bits of the register but is not visible to the WebAssembly client. 2. If guard pages are enabled and signal-based traps are enabled, the operation triggers a safe WebAssembly trap. The trap is incorrect because the loaded data is not an out-of-bounds access as defined by WebAssembly, but the incorrect load expands the data, causing a segmentation fault that is caught and handled as a Wasm trap. 3. If guard pages are enabled and signal-based traps are disabled, the operation causes an uncaught segmentation fault, terminating the process. #### Impact If signal-based traps are disabled and guard pages are enabled, a WebAssembly client can trigger an uncaught segmentation fault in the host process, potentially terminating it. This represents a Denial-of-Service (DoS) attack against the WebAssembly client. #### Mitigation Wasmtime versions 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users should upgrade to the patched versions. #### References - [signals-based-traps configuration](#) - [guard page configuration](#)