⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2024-47763Always-Incorrect Control Flow Implementation in Wasmtime

CWE-670Always-Incorrect Control Flow ImplementationCWE-617Reachable Assertion7 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 99.44%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Bytecodealliance WasmtimeDebian Rust-wasmtime
Timeline
PublishedOct 9

Description

Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

debiandebian/rust-wasmtime< rust-wasmtime 21.0.2+dfsg-1 (forky)
crates.iobytecodealliance/wasmtime12.0.021.0.2+5
CVEListV5bytecodealliance/wasmtime5 versions+4
NVDbytecodealliance/wasmtime9 versions+8

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
wasmtime has a runtime crash when combining tail calls with trapping imports2024-10-09
OSV
CVE-2024-47763: Wasmtime is an open source runtime for WebAssembly2024-10-09
GHSA
wasmtime has a runtime crash when combining tail calls with trapping imports2024-10-09
OSV
Runtime crash when combining tail calls with stack traces2024-10-02

📋Vendor Advisories

2
Red Hat
wasmtime: Runtime crash when combining tail calls with stack traces2024-10-09
Debian
CVE-2024-47763: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of...2024