CVE-2022-24791
published 2022-03-31CVE-2022-24791: Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that…
PriorityP350critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.14%
62.5th percentile
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected. The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accidentally caused Cranelift to skip emitting some stack maps because it expected to emit the stack maps in block definition order, rather than block emission order. When Wasmtime would eventually collect garbage, it would fail to find live references on the stack because of the missing stack maps, think that they were unreferenced garbage, and therefore reclaim them. Then after the collection ended, the Wasm code could use the reclaimed-too-early references, which is a use after free. Patches have been released in versions 0.34.2 and 0.35.2, which fix the vulnerability. All Wasmtime users are recommended to upgrade to these patched versions. If upgrading is not an option for you at this time, you can avoid the vulnerability by either: disabling the Wasm reference types proposal, config.wasm_reference_types(false); or by disabling epoch interruption if you were previously enabling it. config.epoch_interruption(false).
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | < 0.34.2 | 0.34.2 |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0 < 0.34.2 | 0.34.2 |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 0.34.2 | 0.34.2 |
| bytecodealliance | wasmtime | >= 0.34.0 < 0.34.2 | 0.34.2 |
| bytecodealliance | wasmtime | >= 0.34.0 < 0.34.2 | 0.34.2 |
| bytecodealliance | wasmtime | >= 0.35.0 < 0.35.2 | 0.35.2 |
| bytecodealliance | wasmtime | >= 0.35.0 < 0.35.2 | 0.35.2 |
| debian | rust-wasmtime | — | — |
| mozilla | firefox | >= 0 < 1:1snap1-0ubuntu1 | 1:1snap1-0ubuntu1 |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1LOW
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Use after free in Wasmtime
vendor_msrc·2022-03-08·CVSS 8.1
CVE-2022-24791 [HIGH] CWE-416 Use after free in Wasmtime
Use after free in Wasmtime
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2022-24791: rust-wasmtime - Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. The...
vendor_debian·2022·CVSS 8.1
CVE-2022-24791 [HIGH] CVE-2022-24791: rust-wasmtime - Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. The...
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected. The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accidentally caused Cranelift to skip emitting so
GHSA
Use after free in Wasmtime
ghsa·2022-04-01
CVE-2022-24791 [HIGH] CWE-416 Use after free in Wasmtime
Use after free in Wasmtime
There is a use after free vulnerability in Wasmtime when both running Wasm that uses `externref`s and enabling [epoch interruption](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.epoch_interruption) in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected.
The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accide
OSV
Use after free in Wasmtime
osv·2022-04-01
CVE-2022-24791 [HIGH] Use after free in Wasmtime
Use after free in Wasmtime
There is a use after free vulnerability in Wasmtime when both running Wasm that uses `externref`s and enabling [epoch interruption](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.epoch_interruption) in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected.
The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accide
OSV
CVE-2022-24791: Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift
osv·2022-03-31·CVSS 9.8
CVE-2022-24791 [CRITICAL] CVE-2022-24791: Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected. The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accidentally caused Cranelift to skip emitting so
OSV
Use after free with `externref`s and epoch interruption in Wasmtime
osv·2022-03-31
CVE-2022-24791 Use after free with `externref`s and epoch interruption in Wasmtime
Use after free with `externref`s and epoch interruption in Wasmtime
[Use after free with `externref`s and epoch interruption in Wasmtime](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gwc9-348x-qwv2)
OSV
Use after free with `externref`s and epoch interruption in Wasmtime
osv·2022-03-28
CVE-2022-24791 Use after free with `externref`s and epoch interruption in Wasmtime
Use after free with `externref`s and epoch interruption in Wasmtime
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gwc9-348x-qwv2.
For more information see the GitHub-hosted security advisory.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/bytecodealliance/wasmtime/commit/666c2554ea0e1728c35aa41178cf235920db888ahttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gwc9-348x-qwv2https://github.com/bytecodealliance/wasmtime/commit/666c2554ea0e1728c35aa41178cf235920db888ahttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gwc9-348x-qwv2
2022-03-31
Published