CVE-2024-47813
published 2024-10-09CVE-2024-47813: Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to…
PriorityP48low2.9CVSS 3.1
AVLACHPRHUIRSUCNILAL
EPSS
0.15%
4.7th percentile
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 19.0.0 < 21.0.2 | 21.0.2 |
| bytecodealliance | wasmtime | >= 22.0.0 < 22.0.1 | 22.0.1 |
| bytecodealliance | wasmtime | >= 23.0.0 < 23.0.3 | 23.0.3 |
| bytecodealliance | wasmtime | >= 24.0.0 < 24.0.1 | 24.0.1 |
| bytecodealliance | wasmtime | >= 25.0.0 < 25.0.2 | 25.0.2 |
CVSS provenance
nvdv3.12.9LOWCVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
osv2.9LOW
vendor_debian2.9LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
osv·2024-10-09
CVE-2024-47813 [LOW] Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
### Impact
Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected.
Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or
OSV
CVE-2024-47813: Wasmtime is an open source runtime for WebAssembly
osv·2024-10-09·CVSS 2.9
CVE-2024-47813 [LOW] CVE-2024-47813: Wasmtime is an open source runtime for WebAssembly
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where
GHSA
Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
ghsa·2024-10-09
CVE-2024-47813 [LOW] CWE-367 Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
### Impact
Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected.
Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or
OSV
Race condition could lead to WebAssembly control-flow integrity and type safety violations
osv·2024-10-03
CVE-2024-47813 Race condition could lead to WebAssembly control-flow integrity and type safety violations
Race condition could lead to WebAssembly control-flow integrity and type safety violations
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m.
For more information see the GitHub-hosted security advisory.
Debian
CVE-2024-47813: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Under certain concurrent eve...
vendor_debian·2024·CVSS 2.9
CVE-2024-47813 [LOW] CVE-2024-47813: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly. Under certain concurrent eve...
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-09
Published