CVE-2023-41880

Summary

CVE-2023-41880 is a vulnerability affecting Wasmtime, a WebAssembly runtime, on x86_64 platforms. Versions 10.0.0 through 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the `i64x2.shr_s` instruction when the shift amount is a constant value above 32. This issue results in incorrect output, with the low 32 bits of the second lane of the vector derived from the low 32 bits of the input vector instead of the high 32 bits. This can cause inconsistencies in any WebAssembly program that utilizes this instruction with a large constant shift amount. The problem does not breach the WebAssembly sandbox, but Wasmtime still considers it a security issue. The flaw was discovered through code fuzzing and versions 10.0.2, 11.0.2, and 12.0.2 have since been patched. Prior to 10.0.0, users are not at risk. The only temporary workaround for unpatched systems is to either scan for the problematic pattern in wasm modules or disable the SIMD proposal for WebAssembly.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.