CVE-2023-41880
published 2023-09-15CVE-2023-41880: Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.60%
44.5th percentile
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result.
This issue is not an escape from the WebAssembly sandbox. Execution of WebAssembly guest programs will still behave correctly with respect to memory sandboxing and isolation from the host. Wasmtime considers non-spec-compliant behavior as a security issue nonetheless.
This issue was discovered through fuzzing of Wasmtime's code generator Cranelift.
Wasmtime versions 10.0.2, 11.0.2, and 12.0.2 are all patched to no longer have this miscompilation. This issue only affects x86_64 hosts and the only workaround is to either scan for this pattern in wasm modules which is nontrivial or to disable the SIMD proposal for WebAssembly. Users prior to 10.0.0 are unaffected by this vulnerability.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 10.0.2 | 10.0.2 |
| bytecodealliance | wasmtime | >= 10.0.0 < 10.0.2 | 10.0.2 |
| bytecodealliance | wasmtime | >= 10.0.0 < 10.0.2 | 10.0.2 |
| bytecodealliance | wasmtime | >= 11.0.0 < 11.0.2 | 11.0.2 |
| bytecodealliance | wasmtime | >= 11.0.0 < 11.0.2 | 11.0.2 |
| bytecodealliance | wasmtime | >= 12.0.0 < 12.0.2 | 12.0.2 |
| bytecodealliance | wasmtime | >= 12.0.0 < 12.0.2 | 12.0.2 |
| debian | rust-wasmtime | < rust-wasmtime 15.0.0+dfsg-1 (forky) | rust-wasmtime 15.0.0+dfsg-1 (forky) |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv5.3MEDIUM
vendor_debian2.2LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-41880: Wasmtime is a standalone runtime for WebAssembly
osv·2023-09-15·CVSS 5.3
CVE-2023-41880 [MEDIUM] CVE-2023-41880: Wasmtime is a standalone runtime for WebAssembly
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result. This issue is not an escape from the WebAssembly sandbo
GHSA
Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
ghsa·2023-09-14
CVE-2023-41880 [LOW] CWE-193 Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
### Impact
Wasmtime versions from 10.0.0 to 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result.
This issue is not an escape from the Web
OSV
Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
osv·2023-09-14
CVE-2023-41880 [LOW] Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86_64
### Impact
Wasmtime versions from 10.0.0 to 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result.
This issue is not an escape from the Web
OSV
Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86\_64
osv·2023-09-05
CVE-2023-41880 Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86\_64
Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86\_64
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh.
For more information see the GitHub-hosted security advisory.
Debian
CVE-2023-41880: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 ...
vendor_debian·2023·CVSS 2.2
CVE-2023-41880 [LOW] CVE-2023-41880: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 ...
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the `i64x2.shr_s` with a constant shift amount larger than 32 may produce an incorrect result. This issue is not an escape from the WebAssembly sandbo
No detection rules found.
No public exploits indexed.
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simdhttps://github.com/bytecodealliance/wasmtime/commit/8d7eda15b0badcbea83a7aac2d08f80788b59240https://github.com/bytecodealliance/wasmtime/pull/6372https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7ghhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh#:~:text=Mailing%20list%20announcementhttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simdhttps://github.com/bytecodealliance/wasmtime/commit/8d7eda15b0badcbea83a7aac2d08f80788b59240https://github.com/bytecodealliance/wasmtime/pull/6372https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7ghhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh#:~:text=Mailing%20list%20announcement
2023-09-15
Published