EUVD-2023-1143

🗓️ 03 Oct 2025 20:07:09Reported by EUVDType

Wasmtime has a vulnerability in miscompilation of i8x16.select on x86_64 with identical inputs.

Reporter	Title	Published	Views	Family All 25
CBLMariner	CVE-2023-27477 affecting package rust for versions less than 1.68.2-2	25 May 202309:38	–	cbl_mariner
Chainguard	CVE-2023-27477 vulnerabilities	8 Mar 202321:15	–	cgr
Circl	CVE-2023-27477	9 Mar 202300:23	–	circl
CNNVD	Wasmtime 安全漏洞	8 Mar 202300:00	–	cnnvd
CVE	CVE-2023-27477	8 Mar 202300:00	–	cve
Cvelist	CVE-2023-27477	8 Mar 202300:00	–	cvelist
Debian CVE	CVE-2023-27477	8 Mar 202300:00	–	debiancve
Github Security Blog	wasmtime vulnerable to miscompilation of `i8x16.select` with the same inputs on x86_64	9 Mar 202300:09	–	github
Microsoft CVE	wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend Cranelift has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector. This codegen bug has been fixed in Wasmtiem 6.0.1 5.0.1 and 4.0.1. Users are recommended to upgrade to these updated versions. If upgrading is not an option for you at this time you can avoid this miscompilation by disabling the Wasm simd proposal. Additionally the bug is only present on x86_64 hosts. Other platforms such as AArch64 and s390x are not affected.	3 Apr 202307:00	–	mscve
NVD	CVE-2023-27477	8 Mar 202321:15	–	nvd

[
  {
    "enisaIdVendor": [
      {
        "id": "42d2d03d-d09d-3129-8773-afed124155ca",
        "vendor": {
          "name": "bytecodealliance"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "15ac181f-a8c8-396b-b5a3-160cf4c165b2",
        "product": {
          "name": "wasmtime"
        },
        "product_version": "cranelift-codegen:  0.92.0, < 0.92.1"
      },
      {
        "id": "58a88208-8ee4-3445-b36c-c648cf5fa24c",
        "product": {
          "name": "wasmtime"
        },
        "product_version": "wasmtime:  0.37.0, < 4.0.1"
      },
      {
        "id": "7035843a-18be-3ea2-9eed-24657a64a043",
        "product": {
          "name": "wasmtime"
        },
        "product_version": "wasmtime:  5.0.0, < 5.0.1"
      },
      {
        "id": "84608d93-6e0d-35d2-81f2-022b898d43e3",
        "product": {
          "name": "wasmtime"
        },
        "product_version": "wasmtime:  6.0.0, < 6.0.1"
      },
      {
        "id": "9bc3c43e-220a-35c8-ad65-7da555501f59",
        "product": {
          "name": "wasmtime"
        },
        "product_version": "cranelift-codegen:  0.88.0, < 0.91.1"
      },
      {
        "id": "fc248052-9ad6-33c1-bb8b-525d89615d79",
        "product": {
          "name": "wasmtime"
        },
        "product_version": "cranelift-codegen:  0.93.0, < 0.93.1"
      }
    ]
  }
]

Source	Link
github	www.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-27477
github	www.github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1
docs	www.docs.rs/wasmtime/latest/wasmtime/struct.Config.html
github	www.github.com/bytecodealliance/wasmtime
github	www.github.com/webassembly/simd
groups	www.groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ
rustsec	www.rustsec.org/advisories/RUSTSEC-2023-0093.html

03 Oct 2025 20:07Current

4.8Medium risk

Vulners AI Score4.8

CVSS 3.13.1 - 4.3

EPSS0.00474

SSVC