cbcvebase.
CVE-2022-39393
published 2022-11-10

CVE-2022-39393: Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance…

PriorityP344high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.66%
46.8th percentile
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2 and 1.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

Affected

7 ranges
VendorProductVersion rangeFixed in
bytecodealliancewasmtime< 1.0.21.0.2
bytecodealliancewasmtime
bytecodealliancewasmtime>= 0 < 1.0.21.0.2
bytecodealliancewasmtime>= 0.0.0-0 < 1.0.21.0.2
bytecodealliancewasmtime>= 2.0.0 < 2.0.22.0.2
bytecodealliancewasmtime>= 2.0.0 < 2.0.22.0.2
debianrust-wasmtime

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
osv8.6HIGH
vendor_debian8.6LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.