CVE-2022-31146 — Use After Free in Cranelift-codegen

CWE-416 — Use After Free6 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 35.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Cranelift-codegen Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedJul 21

Description

Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDbytecodealliance/wasmtime0.37.0 — 0.38.2

▶crates.iobytecodealliance/wasmtime0.0.0-0 — 0.38.2+1

▶CVEListV5bytecodealliance/wasmtime>= 0.37.0, < 0.38.2, >= 0.84.0, < 0.85.2+1

▶debiandebian/rust-wasmtime

▶NVDbytecodealliance/cranelift-codegen0.84.0 — 0.85.2

🔴Vulnerability Details

OSV

CVE-2022-31146: Wasmtime is a standalone runtime for WebAssembly↗2022-07-21

▶

GHSA

Wasmtime vulnerable to Use After Free with `externref`s↗2022-07-20

▶

OSV

Wasmtime vulnerable to Use After Free with `externref`s↗2022-07-20

▶

OSV

Use After Free with `externref`s in Wasmtime↗2022-07-12

▶

📋Vendor Advisories

Debian

CVE-2022-31146: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime...↗2022

▶