QID 996230

Date Published: 2023-12-13

QID 996230: Rust (Rust) Security Update for wasmtime (GHSA-gw5p-q8mj-p7gh)

Wasmtime versions from 10.0.0 to 12.0.1 contain a miscompilation of the WebAssembly i64x2.shr_s instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x86_64 is affected so all other targets are not affected by this. The miscompilation results in the instruction producing an incorrect result, namely the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact of this issue is that any WebAssembly program using the i64x2.shr_s with a constant shift amount larger than 32 may produce an incorrect result.

Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Medium - 5.3 severity.

CVSS V2 rated as Medium - 5.4 severity.

Solution

Refer to Github security advisory GHSA-gw5p-q8mj-p7gh for updates and patch information.

Vendor References

GHSA-gw5p-q8mj-p7gh - github.com/advisories/GHSA-gw5p-q8mj-p7gh

CVEs related to QID 996230

CVE-2023-41880 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-gw5p-q8mj-p7gh	wasmtime		github.com/advisories/GHSA-gw5p-q8mj-p7gh

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].