Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2023-27477
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-08 Mar, 2023 | 21:15
Updated At-15 Mar, 2023 | 16:56

wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector. This codegen bug has been fixed in Wasmtiem 6.0.1, 5.0.1, and 4.0.1. Users are recommended to upgrade to these updated versions. If upgrading is not an option for you at this time, you can avoid this miscompilation by disabling the Wasm simd proposal. Additionally the bug is only present on x86_64 hosts. Other platforms such as AArch64 and s390x are not affected.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Secondary3.13.1LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
bytecodealliance
bytecodealliance
>>cranelift-codegen>>Versions from 0.84.0(inclusive) to 0.91.1(exclusive)
cpe:2.3:a:bytecodealliance:cranelift-codegen:*:*:*:*:*:rust:*:*
bytecodealliance
bytecodealliance
>>cranelift-codegen>>0.92.0
cpe:2.3:a:bytecodealliance:cranelift-codegen:0.92.0:*:*:*:*:rust:*:*
bytecodealliance
bytecodealliance
>>cranelift-codegen>>0.93.0
cpe:2.3:a:bytecodealliance:cranelift-codegen:0.93.0:*:*:*:*:rust:*:*
bytecodealliance
bytecodealliance
>>wasmtime>>Versions from 0.37.0(inclusive) to 4.0.1(exclusive)
cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
bytecodealliance
bytecodealliance
>>wasmtime>>5.0.0
cpe:2.3:a:bytecodealliance:wasmtime:5.0.0:*:*:*:*:rust:*:*
bytecodealliance
bytecodealliance
>>wasmtime>>6.0.0
cpe:2.3:a:bytecodealliance:wasmtime:6.0.0:*:*:*:*:rust:*:*
Weaknesses
CWE IDTypeSource
CWE-193Primarysecurity-advisories@github.com
CWE ID: CWE-193
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simdsecurity-advisories@github.com
Product
https://github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1security-advisories@github.com
Patch
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vwsecurity-advisories@github.com
Mitigation
Patch
Vendor Advisory
https://github.com/webassembly/simdsecurity-advisories@github.com
Not Applicable
https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQsecurity-advisories@github.com
Mailing List
Release Notes
Vendor Advisory
Hyperlink: https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd
Source: security-advisories@github.com
Resource:
Product
Hyperlink: https://github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw
Source: security-advisories@github.com
Resource:
Mitigation
Patch
Vendor Advisory
Hyperlink: https://github.com/webassembly/simd
Source: security-advisories@github.com
Resource:
Not Applicable
Hyperlink: https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ
Source: security-advisories@github.com
Resource:
Mailing List
Release Notes
Vendor Advisory
Change History
0Changes found
Details not found