Code Generation Bug in Wasmtime Affects WebAssembly on x86_64 Platforms
CVE-2023-27477

3.1LOW

Key Information:

Vendor

Bytecodealliance

Status
Wasmtime
Vendor
CVE Published:
8 March 2023

What is CVE-2023-27477?

Wasmtime, a fast and secure runtime for WebAssembly, contains a code generation bug affecting x86_64 platforms. Specifically, the bug occurs in the handling of the i8x16.select instruction when the same operand is used for the selection, and some selected indices exceed 16. This error arises from an off-by-one calculation in the mask for the pshufb instruction, leading to incorrect results, especially when lanes are selected from a secondary vector. Users are encouraged to update to Wasmtime versions 6.0.1, 5.0.1, or 4.0.1 to avoid this issue. For those unable to upgrade immediately, it is advisable to disable the Wasm SIMD proposal as a temporary measure. Notably, this bug does not affect other architectures such as AArch64 and s390x.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

wasmtime cranelift-codegen: >= 0.88.0, < 0.91.1 < cranelift-codegen: 0.88.0, 0.91.1

wasmtime cranelift-codegen: >= 0.92.0, < 0.92.1 < cranelift-codegen: 0.92.0, 0.92.1

wasmtime cranelift-codegen: >= 0.93.0, < 0.93.1 < cranelift-codegen: 0.93.0, 0.93.1

References

https://docs.rs/wasmtime/latest/wasmtime/struct.Config.ht...
https://github.com/webassembly/simd
https://groups.google.com/a/bytecodealliance.org/g/sec-an...

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.