CVE-2023-26489Out-of-bounds Read in Cranelift-codegen

CWE-125Out-of-bounds ReadCWE-787Out-of-bounds Write6 documents5 sources
Severity
9.9CRITICALNVD
EPSS
2.6%
top 14.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Bytecodealliance Cranelift-codegenBytecodealliance WasmtimeDebian Rust-wasmtime
Timeline
PublishedMar 8
Latest updateMar 9

Description

wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective address. This bug means that, with default codegen settings, a wasm-controlled load/store operation could read/write addresses up to 35 bits away from the base of linear memory. Due to this bug, however, addresses up to `0x

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages6 packages

NVDbytecodealliance/cranelift-codegen0.84.00.91.1+2
crates.iobytecodealliance/cranelift-codegen0.84.00.91.1+2
NVDbytecodealliance/wasmtime0.37.04.0.1+2
crates.iobytecodealliance/wasmtime0.0.0-04.0.1+3
CVEListV5bytecodealliance/wasmtime6 versions+5

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
wasmtime vulnerable to guest-controlled out-of-bounds read/write on x86_642023-03-09
GHSA
wasmtime vulnerable to guest-controlled out-of-bounds read/write on x86_642023-03-09
OSV
Guest-controlled out-of-bounds read/write on x86\_642023-03-02

📋Vendor Advisories

1
Debian
CVE-2023-26489: rust-wasmtime - wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasm...2023

📄Research Papers

1
CTF
35ShadesOfWasm / solution2023