CVE-2024-47763

Name of the Vulnerable Software and Affected Versions Wasmtime versions 21.0.0 through 21.0.1 Wasmtime versions 22.0.0 through 22.0.0 Wasmtime versions 23.0.0 through 23.0.2 Wasmtime versions 24.0.0 through 24.0.0 Wasmtime versions 25.0.0 through 25.0.1

Description The issue is related to Wasmtime's implementation of WebAssembly tail calls combined with stack traces, which can result in a runtime crash in certain WebAssembly modules. This can happen when an exported function in a WebAssembly module performs a return call (or return call indirect or return call ref) to an imported host function that captures a stack trace. The crash is due to an internal assert in the stack-walking code that raises a Rust panic!(). The impact of this issue is a denial-of-service vector where a malicious WebAssembly module or component can cause the host to crash. There is no other impact at this time other than availability of a service as the result of the crash is always a crash and no more.

Recommendations For Wasmtime versions 21.0.0 through 21.0.1, upgrade to version 21.0.2. For Wasmtime versions 22.0.0 through 22.0.0, upgrade to version 22.0.1. For Wasmtime versions 23.0.0 through 23.0.2, upgrade to version 23.0.3. For Wasmtime versions 24.0.0 through 24.0.0, upgrade to version 24.0.1. For Wasmtime versions 25.0.0 through 25.0.1, upgrade to version 25.0.2. As a temporary workaround, consider disabling tail call support in Wasmtime by setting Config::wasm tail call(false).