U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2023-27477 Detail

Description

wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector. This codegen bug has been fixed in Wasmtiem 6.0.1, 5.0.1, and 4.0.1. Users are recommended to upgrade to these updated versions. If upgrading is not an option for you at this time, you can avoid this miscompilation by disabling the Wasm simd proposal. Additionally the bug is only present on x86_64 hosts. Other platforms such as AArch64 and s390x are not affected.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd Product 
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd Product 
https://github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1 Patch 
https://github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1 Patch 
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw Mitigation  Patch  Vendor Advisory 
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw Mitigation  Patch  Vendor Advisory 
https://github.com/webassembly/simd Not Applicable 
https://github.com/webassembly/simd Not Applicable 
https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ Mailing List  Release Notes  Vendor Advisory 
https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ Mailing List  Release Notes  Vendor Advisory 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-193 Off-by-one Error GitHub, Inc.  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2023-27477
NVD Published Date:
03/08/2023
NVD Last Modified:
11/21/2024
Source:
GitHub, Inc.