cbcvebase.
CVE-2024-47813
published 2024-10-09

CVE-2024-47813: Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to…

PriorityP48low2.9CVSS 3.1
AVLACHPRHUIRSUCNILAL
EPSS
0.15%
4.7th percentile
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime>= 19.0.0 < 21.0.221.0.2
bytecodealliancewasmtime>= 22.0.0 < 22.0.122.0.1
bytecodealliancewasmtime>= 23.0.0 < 23.0.323.0.3
bytecodealliancewasmtime>= 24.0.0 < 24.0.124.0.1
bytecodealliancewasmtime>= 25.0.0 < 25.0.225.0.2

CVSS provenance

nvdv3.12.9LOWCVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
osv2.9LOW
vendor_debian2.9LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.