CVE-2024-47813Time-of-check Time-of-use (TOCTOU) Race Condition in Wasmtime

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition6 documents4 sources
Severity
2.9LOWNVD
EPSS
0.0%
top 97.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Bytecodealliance WasmtimeDebian Rust-wasmtime
Timeline
PublishedOct 9

Description

Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` acro

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:LExploitability: 0.3 | Impact: 2.5

Affected Packages4 packages

debiandebian/rust-wasmtime< rust-wasmtime 21.0.2+dfsg-1 (forky)
crates.iobytecodealliance/wasmtime19.0.021.0.2+4
CVEListV5bytecodealliance/wasmtime5 versions+4
NVDbytecodealliance/wasmtime15 versions+14

🔴Vulnerability Details

4
OSV
Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations2024-10-09
OSV
CVE-2024-47813: Wasmtime is an open source runtime for WebAssembly2024-10-09
GHSA
Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations2024-10-09
OSV
Race condition could lead to WebAssembly control-flow integrity and type safety violations2024-10-03

📋Vendor Advisories

1
Debian
CVE-2024-47813: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Under certain concurrent eve...2024