cbcvebase.
CVE-2024-47763
published 2024-10-09

CVE-2024-47763: Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime…

PriorityP423medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITW
Exploited in the wild
EPSS
0.24%
15.5th percentile
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations. The specific crash happens when an exported function in a WebAssembly module (or component) performs a `return_call` (or `return_call_indirect` or `return_call_ref`) to an imported host function which captures a stack trace (for example, the host function raises a trap). In this situation, the stack-walking code previously assumed there was always at least one WebAssembly frame on the stack but with tail calls that is no longer true. With the tail-call proposal it's possible to have an entry trampoline appear as if it directly called the exit trampoline. This situation triggers an internal assert in the stack-walking code which raises a Rust `panic!()`. When Wasmtime is compiled with Rust versions 1.80 and prior this means that an `extern "C"` function in Rust is raising a `panic!()`. This is technically undefined behavior and typically manifests as a process abort when the unwinder fails to unwind Cranelift-generated frames. When Wasmtime is compiled with Rust versions 1.81 and later this panic becomes a deterministic process abort. Overall the impact of this issue is that this is a denial-of-service vector where a malicious WebAssembly module or component can cause the host to crash. There is no other impact at this time other

Affected

21 ranges
VendorProductVersion rangeFixed in
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime>= 12.0.0 < 21.0.221.0.2
bytecodealliancewasmtime>= 21.0.0 < 21.0.221.0.2
bytecodealliancewasmtime>= 22.0.0 < 22.0.122.0.1
bytecodealliancewasmtime>= 23.0.0 < 23.0.323.0.3
bytecodealliancewasmtime>= 24.0.0 < 24.0.124.0.1
bytecodealliancewasmtime>= 25.0.0 < 25.0.225.0.2
debianrust-wasmtime< rust-wasmtime 21.0.2+dfsg-1 (forky)rust-wasmtime 21.0.2+dfsg-1 (forky)

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.