CVE-2023-26489

Name of the Vulnerable Software and Affected Versions wasmtime versions prior to 4.0.1 wasmtime versions prior to 5.0.1 wasmtime versions prior to 6.0.1

Description The issue is related to a bug in the Cranelift code generator of wasmtime, which mistakenly calculates a 35-bit effective address instead of the defined 33-bit effective address for WebAssembly. This allows a malicious module to read or write memory up to 34G away from the base of linear memory, potentially leading to arbitrary code execution or data corruption. The bug is specific to x86 64 targets and does not affect the AArch64 backend. Affected embedders are recommended to analyze preexisting wasm modules for potential exploitation and consider workarounds to mitigate the issue.

Recommendations For wasmtime versions prior to 4.0.1: Update to version 4.0.1 or later to fix the erroneous lowering rules in the Cranelift backend. For wasmtime versions prior to 5.0.1: Update to version 5.0.1 or later to fix the erroneous lowering rules in the Cranelift backend. For wasmtime versions prior to 6.0.1: Update to version 6.0.1 or later to fix the erroneous lowering rules in the Cranelift backend. As a temporary workaround, consider using the Config::static memory maximum size(0) option to force explicit bounds checking for all accesses to linear memory. Alternatively, use the Config::static memory guard size(1 << 36) option to increase the guard pages placed after linear memory, or switch to a non-x86 64 host if possible.