CVE-2022-39393

2022-11-1020:15:11

Google

osv.dev

wasmtime

webassembly

pooling allocator

memory-init-cow

bug fix

security patch

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.8%

JSON

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime’s implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the memory-init-cow.

CPENameOperatorVersion
wasmtimeeqcranelift-v0.60.0
wasmtimeeq0.19.0
wasmtimeeq2.0.0
wasmtimeeq0.21.0
wasmtimeeq0.29.0
wasmtimeeq0.27.0
wasmtimeeq0.23.0
wasmtimeeqcranelift-v0.69.0
wasmtimeeq0.32.0
wasmtimeeq0.26.0

Name	Operator	Version
wasmtime	eq	cranelift-v0.60.0
wasmtime	eq	0.19.0
wasmtime	eq	2.0.0
wasmtime	eq	0.21.0
wasmtime	eq	0.29.0
wasmtime	eq	0.27.0
wasmtime	eq	0.23.0
wasmtime	eq	cranelift-v0.69.0
wasmtime	eq	0.32.0
wasmtime	eq	0.26.0