Vulnerability Details CVE-2022-39393
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2 and 1.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.6%
CVSS Severity
CVSS v3 Score 8.6
References
- https://github.com/bytecodealliance/wasmtime/commit/2614f2e9d2d36805ead8a8da0fa0c6e0d9e428a0
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf
- https://github.com/bytecodealliance/wasmtime/commit/2614f2e9d2d36805ead8a8da0fa0c6e0d9e428a0
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf
Products affected by CVE-2022-39393
-
cpe:2.3:a:bytecodealliance:wasmtime:0.10.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.11.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.12.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.15.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.16.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.17.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.18.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.19.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.2.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.20.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.21.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.22.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.22.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.23.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.24.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.25.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.26.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.26.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.27.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.28.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.29.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.3.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.30.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.31.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.32.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.32.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.33.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.33.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.36.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.37.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.3
-
cpe:2.3:a:bytecodealliance:wasmtime:0.39.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.39.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.4.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.40.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.40.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.6.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.8.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.9.0
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.1