CVE-2022-39393 — Sensitive Information in Resource Not Removed Before Reuse in Wasmtime

CWE-226 — Sensitive Information in Resource Not Removed Before Reuse CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer7 documents4 sources

Severity

8.6HIGHNVD

EPSS

0.3%

top 45.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedNov 10

Description

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2 and 1.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages4 packages

▶NVDbytecodealliance/wasmtime2.0.0 — 2.0.2+1

▶crates.iobytecodealliance/wasmtime0.0.0-0 — 1.0.2+2

▶debiandebian/rust-wasmtime

▶CVEListV5bytecodealliance/wasmtime>= 2.0.0, < 2.0.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Bug in pooling instance allocator↗2022-11-10

▶

OSV

Wasmtime may have data leakage between instances in the pooling allocator↗2022-11-10

▶

OSV

CVE-2022-39393: Wasmtime is a standalone runtime for WebAssembly↗2022-11-10

▶

GHSA

Wasmtime may have data leakage between instances in the pooling allocator↗2022-11-10

▶

OSV

Data leakage between instances in the pooling allocator↗2022-11-05

▶

📋Vendor Advisories

Debian

CVE-2022-39393: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1....↗2022

▶