CVE-2023-30624

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 6.0.2 Wasmtime versions prior to 7.0.1 Wasmtime versions prior to 8.0.1

Description Wasmtime's implementation of managing per-instance state contains LLVM-level undefined behavior, which can cause runtime-level issues when compiled with LLVM 16. This undefined behavior is due to the use of unsafe code to maintain the runtime state for an instance, which involves a Rust-defined structure called Instance with a trailing VMContext structure. The code has methods that take &self as an argument but modify data in the VMContext part of the allocation, which is typically not allowed in Rust. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include:

Recommendations Update to Wasmtime version 6.0.2 or later if you are using version prior to 6.0.2. Update to Wasmtime version 7.0.1 or later if you are using version prior to 7.0.1. Update to Wasmtime version 8.0.1 or later if you are using version prior to 8.0.1. If Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues, but it's still recommended to update to a patched version of Wasmtime. Users using beta Rust (1.70 or later) or nightly Rust (1.71 or later) must update to a patched version to work correctly.