8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
61.6%
Wasmtime is a standalone runtime for WebAssembly. There is a bug in the
Wasmtime’s code generator, Cranelift, where functions using reference types
may be incorrectly missing metadata required for runtime garbage
collection. This means that if a GC happens at runtime then the GC pass
will mistakenly think these functions do not have live references to GC’d
values, reclaiming them and deallocating them. The function will then
subsequently continue to use the values assuming they had not been GC’d,
leading later to a use-after-free. This bug was introduced in the migration
to the regalloc2
register allocator that occurred in the Wasmtime 0.37.0
release on 2022-05-20. This bug has been patched and users should upgrade
to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by
disabling the reference types proposal by passing false
to
wasmtime::Config::wasm_reference_types
or downgrading to Wasmtime 0.36.0
or prior.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
mdeslaur | starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap |
rodrigo-zaiden | cranelift, the wasmtime code generator is included in firefox, thunderbird and mozjs families. |
github.com/bytecodealliance/wasmtime/
github.com/bytecodealliance/wasmtime/commit/2154c63de94e0372bca5a596c3eaf90147c922d1
github.com/bytecodealliance/wasmtime/security/advisories/GHSA-5fhj-g3p3-pq9g
github.com/WebAssembly/reference-types
launchpad.net/bugs/cve/CVE-2022-31146
nvd.nist.gov/vuln/detail/CVE-2022-31146
security-tracker.debian.org/tracker/CVE-2022-31146
www.cve.org/CVERecord?id=CVE-2022-31146