CVE-2022-39393 Wasmtime vulnerable to data leakage between instances in the pooling allocator

2022-11-1000:00:00

CWE-226

GitHub_M

www.cve.org

wasmtime

pooling allocator

data leakage

version 2.0.2

webassembly

memory-init-cow

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.8%

JSON

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime’s implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the memory-init-cow.

CNA Affected

[
  {
    "vendor": "bytecodealliance",
    "product": "wasmtime",
    "versions": [
      {
        "version": "< 2.0.2",
        "status": "affected"
      }
    ]
  }
]