Vulnerability Details : CVE-2022-31146
Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd, leading later to a use-after-free. This bug was introduced in the migration to the `regalloc2` register allocator that occurred in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types` or downgrading to Wasmtime 0.36.0 or prior.
Vulnerability category: Memory Corruption
Products affected by CVE-2022-31146
- Bytecodealliance » Cranelift-codegen » For RustVersions from including (>=) 0.84.0 and before (<) 0.85.2cpe:2.3:a:bytecodealliance:cranelift-codegen:*:*:*:*:*:rust:*:*
- cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31146
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31146
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
6.4
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L |
1.6
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2022-31146
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31146
-
https://github.com/bytecodealliance/wasmtime/
GitHub - bytecodealliance/wasmtime: A standalone runtime for WebAssemblyProduct;Third Party Advisory
-
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-5fhj-g3p3-pq9g
Use After Free with `externref`s in Wasmtime · Advisory · bytecodealliance/wasmtime · GitHubMitigation;Third Party Advisory
-
https://github.com/WebAssembly/reference-types
GitHub - WebAssembly/reference-types: Proposal for adding basic reference types (anyref)Third Party Advisory
Jump to