CVE-2024-30266
published 2024-04-04CVE-2024-30266: wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest…
PriorityP421medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.32%
23.5th percentile
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 19.0.0 < 19.0.1 | 19.0.1 |
| debian | rust-wasmtime | < rust-wasmtime 21.0.2+dfsg-1 (forky) | rust-wasmtime 21.0.2+dfsg-1 (forky) |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-30266: wasmtime is a runtime for WebAssembly
osv·2024-04-04·CVSS 5.5
CVE-2024-30266 [MEDIUM] CVE-2024-30266: wasmtime is a runtime for WebAssembly
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.
OSV
Panic when using a dropped extenref-typed element segment
osv·2024-04-02
CVE-2024-30266 Panic when using a dropped extenref-typed element segment
Panic when using a dropped extenref-typed element segment
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5.
For more information see the GitHub-hosted security advisory.
GHSA
Wasmtime vulnerable to panic when using a dropped extenref-typed element segment
ghsa·2024-04-02
CVE-2024-30266 [LOW] CWE-843 Wasmtime vulnerable to panic when using a dropped extenref-typed element segment
Wasmtime vulnerable to panic when using a dropped extenref-typed element segment
### Impact
The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. The panic in question is caused when a WebAssembly module issues a `table.*` instruction which uses a dropped element segment with a table that also has an `externref` type. This causes Wasmtime to erroneously use an empty function segment instead of an empty externref segment to perform this operation. This mismatch in types causes a panic in Wasmtime when it's asserted that an externref table is only viewed as externrefs.
This regression was introduced d
OSV
Wasmtime vulnerable to panic when using a dropped extenref-typed element segment
osv·2024-04-02
CVE-2024-30266 [LOW] Wasmtime vulnerable to panic when using a dropped extenref-typed element segment
Wasmtime vulnerable to panic when using a dropped extenref-typed element segment
### Impact
The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. The panic in question is caused when a WebAssembly module issues a `table.*` instruction which uses a dropped element segment with a table that also has an `externref` type. This causes Wasmtime to erroneously use an empty function segment instead of an empty externref segment to perform this operation. This mismatch in types causes a panic in Wasmtime when it's asserted that an externref table is only viewed as externrefs.
This regression was introduced d
Debian
CVE-2024-30266: rust-wasmtime - wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a...
vendor_debian·2024·CVSS 3.3
CVE-2024-30266 [LOW] CVE-2024-30266: rust-wasmtime - wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a...
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.
Scope: local
forky: resolved (fixed in 21.0.2+dfsg-1)
sid: resolved (fixed in 21.0.2+dfsg-1)
trixie: resolved (fixed in 21.0.2+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664https://github.com/bytecodealliance/wasmtime/issues/8281https://github.com/bytecodealliance/wasmtime/pull/8018https://github.com/bytecodealliance/wasmtime/pull/8283https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664https://github.com/bytecodealliance/wasmtime/issues/8281https://github.com/bytecodealliance/wasmtime/pull/8018https://github.com/bytecodealliance/wasmtime/pull/8283https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5
2024-04-04
Published