CVE-2023-26489

Summary of CVE-2023-26489 (wasmtime/Cranelift): In x86_64, Cranelift’s address-mode computation could extend a 32-bit WebAssembly address to 64 bits, producing an effective address up to 35 bits away from linear memory. With default codegen, this allowed wasm-controlled loads/stores to read/write...

CVE-2023-27477

Wasmtime Cranelift on x86_64 has a codegen bug for i8x16.select that can yield incorrect results when the same operand is used and some selected indices exceed 16. The off-by-one error in the mask calculation for pshufb may cause wrong results when lanes are taken from the second vector. This iss...

CVE-2022-31104

CVE-2022-31104 concerns Wasmtime’s x86_64 SIMD implementation. Two Cranelift lowering bugs affected i8x16.swizzle and select for v128 inputs: swizzle overwrote the mask input register, potentially corrupting a constant; and select incorrectly handled 128‑bit vectors when the condition was 0, movi...

CVE-2022-31169

CVE-2022-31169 affects Wasmtime’s Cranelift codegen on AArch64. A miscompilation in constant division may place incorrect values in registers due to sign/zero-extension rules, impacting WebAssembly sandbox correctness. Affected: Wasmtime prior to 0.38.2 and Cranelift prior to 0.85.2; fixed in Was...

CVE-2022-31146

CVE-2022-31146 affects Wasmtime (Cranelift) in the migration to the regalloc2 allocator (Wasmtime 0.37.0). The bug may cause metadata for reference-typed functions to be missing during GC, making the GC pass think there are no live references, leading to use-after-free when values are later acces...

CVE-2021-32629

Cranelift’s x64 backend bug in 0.73 (and certain earlier builds when the new backend is explicitly selected) can sign-extend a loaded i32 value, potentially enabling sandbox escapes in Wasm modules and exposing memory up to 2 GiB before the heap. Wasmtime and Lucet using Cranelift may be exploita...