CVE-2023-41880

Name of the Vulnerable Software and Affected Versions Wasmtime versions 10.0.0 through 12.0.1

Description The issue is related to a miscompilation of the WebAssembly i64x2.shr s instruction on x86 64 platforms when the shift amount is a constant value that is larger than 32. This results in the instruction producing an incorrect result, where the low 32-bits of the second lane of the vector are derived from the low 32-bits of the second lane of the input vector instead of the high 32-bits. The primary impact is that any WebAssembly program using the i64x2.shr s with a constant shift amount larger than 32 may produce an incorrect result. This issue does not allow escape from the WebAssembly sandbox, and execution of WebAssembly guest programs will still behave correctly with respect to memory sandboxing and isolation from the host.

Recommendations To resolve the issue, update to Wasmtime version 10.0.2, 11.0.2, or 12.0.2, as these versions are patched to no longer have this miscompilation. As a temporary workaround, consider disabling the SIMD proposal for WebAssembly.