CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-51745 – Wasmtime doesn't fully sandbox all the Windows device filenames
https://notcve.org/view.php?id=CVE-2024-51745
05 Nov 2024 — Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with s... • https://en.wikipedia.org/wiki/ISO/IEC_8859-1 • CWE-67: Improper Handling of Windows Device Names CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30624 – Wasmtime has Undefined Behavior in Rust runtime functions
https://notcve.org/view.php?id=CVE-2023-30624
27 Apr 2023 — Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incor... • https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e • CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior •
CVSS: 9.9EPSS: 2%CPEs: 6EXPL: 0CVE-2023-26489 – Guest-controlled out-of-bounds read/write on x86_64 in wasmtime
https://notcve.org/view.php?id=CVE-2023-26489
08 Mar 2023 — wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective address. This bug means that, with default codegen settings, a wasm-controlled load/store operation could read/write addresses up to 35 bits away from the base of linear memory. Due to this bug, however, addresses up to `0xffffffff * 8... • https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.static_memory_guard_size • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-27477
https://notcve.org/view.php?id=CVE-2023-27477
08 Mar 2023 — wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector. This code... • https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd • CWE-193: Off-by-one Error •