CVE-2024-47813

Опубликовано: 09 окт. 2024

Источник: nvd

CVSS3: 2.9

EPSS Низкий

Описание

Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a wasmtime::Engine's internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use wasmtime::Engine across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as wasmtime::FuncType or wasmtime::ArrayType) concurrently on multiple threads, where all types are associated with the same wasmtime::Engine. Wasm guests cannot trigger this bug. See the "References" section below for a list of Wasmtime types-related APIs that are affected. Was

Ссылки

https://github.com/bytecodealliance/wasmtime/pull/7969
Product
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:bytecodealliance:wasmtime:19.0.0:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:19.0.1:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:19.0.2:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:20.0.0:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:20.0.1:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:20.0.2:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:21.0.0:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:21.0.1:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:22.0.0:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:23.0.0:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:23.0.1:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:23.0.2:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:24.0.0:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:25.0.0:*:*:*:*:rust:*:*

cpe:2.3:a:bytecodealliance:wasmtime:25.0.1:*:*:*:*:rust:*:*

EPSS

Процентиль: 2%

0.00014

Низкий

2.9 Low

CVSS3

Дефекты

CWE-367

Связанные уязвимости

CVE-2024-47813

CVSS3: 2.9

ubuntu

больше 1 года назад

Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. ...

CVE-2024-47813

CVSS3: 2.9

debian

больше 1 года назад

Wasmtime is an open source runtime for WebAssembly. Under certain conc ...

GHSA-7qmx-3fpx-r45m

CVSS3: 2.9

github

больше 1 года назад

Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations

EPSS

Процентиль: 2%

0.00014

Низкий

2.9 Low

CVSS3

Дефекты

CWE-367