CVE-2023-30624 — Reliance on Undefined, Unspecified, or Implementation-Defined Behavior in Wasmtime

CWE-758 — Reliance on Undefined, Unspecified, or Implementation-Defined Behavior5 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 66.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedApr 27

Description

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/rust-wasmtime

▶NVDbytecodealliance/wasmtime< 6.0.2+2

▶crates.iobytecodealliance/wasmtime7.0.0 — 7.0.1+3

▶CVEListV5bytecodealliance/wasmtime= 7.0.0, = 8.0.0+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Undefined Behavior in Rust runtime functions↗2023-04-27

▶

GHSA

Undefined Behavior in Rust runtime functions↗2023-04-27

▶

OSV

Undefined Behavior in Rust runtime functions↗2023-04-21

▶

📋Vendor Advisories

Debian

CVE-2023-30624: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1...↗2023

▶