Use After Free Affecting wasmtime package, versions >=0.37.0 <0.38.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.86% (54th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-WASMTIME-2957524
  • published21 Jul 2022
  • disclosed20 Jul 2022
  • creditAlex Crichton, Nick Fitzgerald, Jamey Sharp

Introduced: 20 Jul 2022

CVE-2022-31146  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade wasmtime to version 0.38.2 or higher.

Overview

Affected versions of this package are vulnerable to Use After Free in the runtime garbage collector. When a host passes non-null externrefs to WebAssembly, garbage collection is triggered, while active Wasm frames remain on the stack. Live references from these frames can be reclaimed and reallocated.

Note: This vulnerability can be worked around by passing false to wasmtime::Config::wasm_reference_types.

References

CVSS Base Scores

version 3.1