CVE-2023-26489: 
Rust vulnerability analysis and mitigation

CVE-2023-26489 is a critical vulnerability discovered in Wasmtime's code generator, Cranelift, affecting x86_64 targets. The vulnerability was disclosed on March 8, 2023, and affects Wasmtime versions <= 6.0.0 and >= 0.37.0, as well as Cranelift-codegen versions <= 0.93.0 and >= 0.84.0. The issue involves incorrect address-mode computation that allows a 35-bit effective address instead of WebAssembly's defined 33-bit effective address (GitHub Advisory).

The vulnerability stems from a bug in Cranelift's x8664 backend where a WebAssembly address left-shifted by a constant amount (1 to 3) gets incorrectly folded into x8664's addressing modes. The bug occurs because address computation happens with 64-bit values instead of truncating the computation to 32-bits as intended. This allows the local variable to use up to 32-bits for an address plus 3 extra bits of address space through the movl instruction. The vulnerability has been assigned a CVSS v3.1 score of 9.9, indicating critical severity (GitHub Advisory).

The vulnerability enables a malicious WebAssembly module to perform out-of-bounds read and write operations up to approximately 34G bytes away from the base of linear memory, bypassing Wasmtime's default 6G protection limit. This unauthorized access could affect memory belonging to other WebAssembly instances when using the pooling allocator or potentially access embedder memory, depending on address layout. The impact is particularly concerning as these unauthorized memory operations can occur silently or appear as normal WebAssembly traps, making detection of exploitation difficult (GitHub Advisory).

The vulnerability has been patched in Wasmtime versions 4.0.1, 5.0.1, and 6.0.1. For users unable to update, several workarounds are available: using Config::staticmemorymaximumsize(0) to force explicit bounds-checking, implementing Config::staticmemoryguardsize(1 << 36) to increase guard pages, or using a non-x86_64 host as the bug doesn't affect other architectures like AArch64. The fix removes the erroneous lowering rules in the backend, ensuring proper truncation of intermediate computations (GitHub Advisory, Security Announcement).

The Bytecode Alliance announced the security release on March 3, 2023, with the patches being made available on March 8, 2023. The announcement was made through their security mailing list, emphasizing the critical nature of the vulnerability (Security Announcement).