CVE-2024-30266

Name of the Vulnerable Software and Affected Versions Wasmtime version 19.0.0

Description The issue is related to a regression in Wasmtime that can cause a panic in the host runtime when a guest WebAssembly module is executed. This panic occurs when a WebAssembly module issues a table.* instruction using a dropped element segment with a table that also has an externref type, causing Wasmtime to use an empty function segment instead of an empty externref segment. The panic requires the reference-types WebAssembly feature to be enabled, which is enabled by default. This issue represents a possible denial-of-service in some scenarios but does not introduce memory unsafety or allow WebAssembly to break outside of its sandbox.

Recommendations For Wasmtime version 19.0.0, upgrade to version 19.0.1 to fix the issue. As a temporary workaround, consider using config.reference types(false) to disable the reference-types feature at validation-time, which prevents the possibility of a panic at runtime.