CVE-2022-39393

2022-11-1020:15:11

CWE-212

CWE-226

[email protected]

web.nvd.nist.gov

wasmtime

webassembly

wasmtime bug

vulnerability

memory-init-cow

pooling allocator

cve-2022-39393

nvd

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.8%

JSON

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime’s implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the memory-init-cow.

Affected configurations

Vulners

NVD

Node

bytecodealliancewasmtimeRange<2.0.2

VendorProductVersionCPE
bytecodealliancewasmtime*cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
bytecodealliance	wasmtime	*	cpe:2.3:a:bytecodealliance:wasmtime::::::::

CNA Affected

[
  {
    "vendor": "bytecodealliance",
    "product": "wasmtime",
    "versions": [
      {
        "version": "< 2.0.2",
        "status": "affected"
      }
    ]
  }
]