Out-of-bounds Write Affecting wasmtime package, versions >=0.37.0 <4.0.1>=5.0.0 <5.0.1>=6.0.0 <6.0.1


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (66th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-WASMTIME-3357940
  • published9 Mar 2023
  • disclosed9 Mar 2023
  • creditUnknown

Introduced: 9 Mar 2023

CVE-2023-26489  (opens in a new tab)
CWE-787  (opens in a new tab)

How to fix?

Upgrade wasmtime to version 4.0.1, 5.0.1, 6.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Out-of-bounds Write on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective address.

CVSS Scores

version 3.1