CVE-2023-52284 — Double Free in Webassembly Micro Runtime

CWE-415 — Double Free3 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 85.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Webassembly Micro Runtime Msrc Cbl2 Fluent-bit 2.1.10-3 ON CBL Mariner 2.0 Msrc CBL Mariner 2.0 ARM +1 more

Timeline

PublishedDec 31

Description

Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1.3.0 can have an "double free or corruption" error for a valid WebAssembly module because push_pop_frame_ref_offset is mishandled.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶NVDbytecodealliance/webassembly_micro_runtime< 1.3.0

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

▶msrcmsrc/cbl2_fluent-bit_2.1.10-3_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4m88-fhx6-92j5: Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1↗2023-12-31

▶

📋Vendor Advisories

Microsoft

▶