CVE-2022-31169
Published: 22 July 2022
Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. This issue only affects the AArch64 platform. Other platforms are not affected. The translation rules for constants did not take into account whether sign or zero-extension should happen which resulted in an incorrect value being placed into a register when a division was encountered. The impact of this bug is that programs executing within the WebAssembly sandbox would not behave according to the WebAssembly specification. This means that it is hypothetically possible for execution within the sandbox to go awry and WebAssembly programs could produce unexpected results. This should not impact hosts executing WebAssembly but does affect the correctness of guest programs. This bug has been patched in Wasmtime version 0.38.2 and cranelift-codegen 0.85.2. There are no known workarounds.
Notes
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
mdeslaur | starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap |
rodrigo-zaiden | cranelift, the wasmtime code generator is included in firefox, thunderbird and mozjs families. |
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of standard support, was needed)
|
jammy |
Not vulnerable
(code not present)
|
|
lunar |
Not vulnerable
(code not present)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
|
focal |
Ignored
(bundled deps handled by upstream in new versions)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
mantic |
Not vulnerable
(code not present)
|
|
mozjs38 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
kinetic |
Does not exist
|
|
mantic |
Does not exist
|
|
mozjs52 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
kinetic |
Does not exist
|
|
mantic |
Does not exist
|
|
mozjs68 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
kinetic |
Does not exist
|
|
mantic |
Does not exist
|
|
mozjs78 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
xenial |
Does not exist
|
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Needs triage
|
|
upstream |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Does not exist
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mozjs91 Launchpad, Ubuntu, Debian |
lunar |
Does not exist
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Needs triage
|
|
trusty |
Does not exist
|
|
xenial |
Does not exist
|
|
upstream |
Needs triage
|
|
kinetic |
Does not exist
|
|
mantic |
Does not exist
|
|
thunderbird Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of standard support, was needed)
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
focal |
Ignored
(bundled deps handled by upstream in new versions)
|
|
jammy |
Ignored
(bundled deps handled by upstream in new versions)
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
xenial |
Ignored
(end of standard support)
|
|
mantic |
Ignored
(bundled deps handled by upstream in new versions)
|
|
lunar |
Ignored
(end of life, was ignored [bundled deps handled by upstream in new versions])
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |