Wasmtime Runtime Vulnerability Found

New Wasmtime Versions Eliminate Critical Vulnerability

Wasmtime, a runtime for running WebAssembly applications, received new versions – 6.0.1, 5.0.1, and 4.0.1 – with corrective updates that eliminate a critical-level vulnerability. The vulnerability, assigned with CVE-2023-26489, allows recording and reading of data from memory outside the boundaries allowed for isolated WebAssembly code. This means that an attacker can execute their code outside of the isolated environment of the WebAssembly System Interface (WASI).

The vulnerability was caused by a logical error in the linear memory addressing rules of the Cranelift code generator, which translates hardware-independent intermediate representation into executable machine code for x86_64 architecture. The error resulted in calculating 35-bit effective addresses for WebAssembly applications instead of the allowed 33-bit addresses. This expands the range of virtual memory from 6 to 34 GB from the base address for reading and recording, while Wasmtime’s Sandbox-renovation settings provide protection for only 6 GB from the base address.

To fix the vulnerability, users can update to the latest version of Wasmtime. As a bypass, configuration settings such as “Config :: static_memory_maximm_size (0)” can be used to include a mandatory separate check of borders with any access to linear memory, which reduces productivity.

Wasmtime is written in Rust and supports WASI as an ordinary separate application. Users can download the latest version of Wasmtime from the project’s GitHub page.

/Reports, release notes, official announcements.