Off-by-one in Wasmtime - CVE-2023-41880

 

Off-by-one in Wasmtime - CVE-2023-41880

Published: September 14, 2023 / Updated: April 23, 2026


Vulnerability identifier: #VU127035
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-41880
CWE-ID: CWE-193
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Bytecode Alliance
Affected software:
Wasmtime

Detailed vulnerability description

The vulnerability allows a remote user to cause incorrect computation results.

The vulnerability exists due to an off-by-one error in the Cranelift code generator for the WebAssembly i64x2.shr_s instruction when compiling WebAssembly on x86_64 with a constant shift amount larger than 32. A remote privileged user can execute a specially crafted WebAssembly program to cause incorrect computation results.

This issue is not an escape from the WebAssembly sandbox and affects only x86_64 hosts.


How to mitigate CVE-2023-41880

Install security update from vendor's website.

Sources