CVE-2023-27477: 
Rust vulnerability analysis and mitigation

Wasmtime's code generation backend, Cranelift, contains a bug on x86_64 platforms affecting the WebAssembly i8x16.select instruction. The vulnerability (CVE-2023-27477) was discovered and disclosed on March 8, 2023. The issue affects Wasmtime versions 6.0.0 and earlier, down to version 1.0.0. The bug produces incorrect results when the same operand is provided to the instruction and some of the selected indices are greater than 16 (GitHub Advisory).

The vulnerability stems from an off-by-one error in the calculation of the mask to the pshufb instruction, which causes incorrect results to be returned if lanes are selected from the second vector. The bug specifically affects the x86_64 platform implementation of the WebAssembly SIMD (Single Instruction, Multiple Data) feature. The issue has been assigned a CVSS v3.1 base score of 3.1 (Low) with a vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

The miscompilation can cause WebAssembly instructions to produce incorrect results for the i8x16.select instruction. While this does not represent a sandbox escape or affect embedders directly, guest programs may behave unexpectedly due to the incorrect instruction results. In extreme cases, if a guest program handles untrusted input, it may deviate from intended execution, potentially calling imported host functions with different arguments than intended (GitHub Advisory).

The issue has been fixed in Wasmtime versions 6.0.1, 5.0.1, and 4.0.1. Users are recommended to upgrade to these patched versions. For those unable to upgrade immediately, two workarounds are available: disable the Wasm SIMD proposal using config.wasm_simd(false), or use platforms other than x86_64 (such as AArch64 and s390x) which are not affected by this bug (GitHub Advisory, Security Announcement).