CVE-2023-26489
CRITICAL9.9EPSS 2.6%Guest-controlled out-of-bounds read/write on x86\_64
Published: 3/9/2023Modified: 5/2/2025
Description
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ff4p-7xrq-q5r8. For more information see the GitHub-hosted security advisory.
Affected packages (3)
- crates.io/cranelift-codegen>= 0.84.0, < 0.91.1
- crates.io/wasmtime>= 0.37.0, < 4.0.1
- crates.io/wasmtime>= 0.0.0-0, < 4.0.1, >= 5.0.0, < 5.0.1, >= 6.0.0, < 6.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-26489
- PATCHhttps://crates.io/crates/wasmtime
- PATCHhttps://github.com/bytecodealliance/wasmtime
- WEBhttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.static_memory_guard_size
- WEBhttps://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.static_memory_maximum_size
- WEBhttps://github.com/bytecodealliance/wasmtime/commit/63fb30e4b4415455d47b3da5a19d79c12f4f2d1f
- WEBhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ff4p-7xrq-q5r8
- WEBhttps://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ
- WEBhttps://rustsec.org/advisories/RUSTSEC-2023-0090.html