CVE-2022-39394

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 2.0.2

Description There is a bug in Wasmtime's C API implementation where the definition of the wasmtime trap code does not match its declared signature in the wasmtime/trap.h header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller, leading to three zero bytes being written beyond the 1-byte location provided by the caller. This issue affects users of the C API function wasmtime trap code, but not users of the wasmtime crate.

Recommendations For versions prior to 2.0.2, upgrade to Wasmtime 2.0.2 to resolve the issue. As a temporary workaround, consider providing a 4-byte buffer casted to a 1-byte buffer when calling wasmtime trap code.