CVE-2024-47763
published 2024-10-09CVE-2024-47763: Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime…
PriorityP423medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITW
Exploited in the wild
EPSS
0.24%
15.5th percentile
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations. The specific crash happens when an exported function in a WebAssembly module (or component) performs a `return_call` (or `return_call_indirect` or `return_call_ref`) to an imported host function which captures a stack trace (for example, the host function raises a trap). In this situation, the stack-walking code previously assumed there was always at least one WebAssembly frame on the stack but with tail calls that is no longer true. With the tail-call proposal it's possible to have an entry trampoline appear as if it directly called the exit trampoline. This situation triggers an internal assert in the stack-walking code which raises a Rust `panic!()`. When Wasmtime is compiled with Rust versions 1.80 and prior this means that an `extern "C"` function in Rust is raising a `panic!()`. This is technically undefined behavior and typically manifests as a process abort when the unwinder fails to unwind Cranelift-generated frames. When Wasmtime is compiled with Rust versions 1.81 and later this panic becomes a deterministic process abort. Overall the impact of this issue is that this is a denial-of-service vector where a malicious WebAssembly module or component can cause the host to crash. There is no other impact at this time other
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 12.0.0 < 21.0.2 | 21.0.2 |
| bytecodealliance | wasmtime | >= 21.0.0 < 21.0.2 | 21.0.2 |
| bytecodealliance | wasmtime | >= 22.0.0 < 22.0.1 | 22.0.1 |
| bytecodealliance | wasmtime | >= 23.0.0 < 23.0.3 | 23.0.3 |
| bytecodealliance | wasmtime | >= 24.0.0 < 24.0.1 | 24.0.1 |
| bytecodealliance | wasmtime | >= 25.0.0 < 25.0.2 | 25.0.2 |
| debian | rust-wasmtime | < rust-wasmtime 21.0.2+dfsg-1 (forky) | rust-wasmtime 21.0.2+dfsg-1 (forky) |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
wasmtime has a runtime crash when combining tail calls with trapping imports
osv·2024-10-09
CVE-2024-47763 [MEDIUM] wasmtime has a runtime crash when combining tail calls with trapping imports
wasmtime has a runtime crash when combining tail calls with trapping imports
### Impact
Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later.
[WebAssembly tail calls](https://github.com/webassembly/tail-call) are a proposal which relatively recently reached stage 4 in the [standardization process](https://github.com/WebAssembly/proposals/). Wasmtime first enabled support for tail calls by default [in Wasmtime 21.0.0](https://github.com/bytecodealliance/wasmtime/pull/8540), although that release contained a b
OSV
CVE-2024-47763: Wasmtime is an open source runtime for WebAssembly
osv·2024-10-09·CVSS 5.5
CVE-2024-47763 [MEDIUM] CVE-2024-47763: Wasmtime is an open source runtime for WebAssembly
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations. The specific crash happens when an exported func
GHSA
wasmtime has a runtime crash when combining tail calls with trapping imports
ghsa·2024-10-09
CVE-2024-47763 [MEDIUM] CWE-617 wasmtime has a runtime crash when combining tail calls with trapping imports
wasmtime has a runtime crash when combining tail calls with trapping imports
### Impact
Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later.
[WebAssembly tail calls](https://github.com/webassembly/tail-call) are a proposal which relatively recently reached stage 4 in the [standardization process](https://github.com/WebAssembly/proposals/). Wasmtime first enabled support for tail calls by default [in Wasmtime 21.0.0](https://github.com/bytecodealliance/wasmtime/pull/8540), although that release contained a b
OSV
Runtime crash when combining tail calls with stack traces
osv·2024-10-02
CVE-2024-47763 Runtime crash when combining tail calls with stack traces
Runtime crash when combining tail calls with stack traces
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q8hx-mm92-4wvg.
For more information see the GitHub-hosted security advisory.
Red Hat
wasmtime: Runtime crash when combining tail calls with stack traces
vendor_redhat·2024-10-09·CVSS 5.5
CVE-2024-47763 [MEDIUM] CWE-670 wasmtime: Runtime crash when combining tail calls with stack traces
wasmtime: Runtime crash when combining tail calls with stack traces
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for
Debian
CVE-2024-47763: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of...
vendor_debian·2024·CVSS 5.5
CVE-2024-47763 [MEDIUM] CVE-2024-47763: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of...
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations. The specific crash happens when an exported func
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_tail_callhttps://github.com/WebAssembly/proposalshttps://github.com/bytecodealliance/wasmtime/pull/8540https://github.com/bytecodealliance/wasmtime/pull/8682https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q8hx-mm92-4wvghttps://github.com/webassembly/tail-call
2024-10-09
Published
Exploited in the wild