CVE-2024-47813

Name of the Vulnerable Software and Affected Versions Wasmtime versions 19.0.0 through 20.0.0 Wasmtime versions 21.0.0 through 21.0.1 Wasmtime versions 22.0.0 Wasmtime versions 23.0.0 through 23.0.2 Wasmtime versions 24.0.0 Wasmtime versions 25.0.0 through 25.0.1

Description A race condition in Wasmtime's internal type registry can lead to panics and potentially type registry corruption under certain concurrent event orderings. This corruption could result in violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use wasmtime::Engine across multiple threads are not affected. The issue arises from a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count and then acquires a lock to unregister that entry, but another thread could re-register the type, resurrecting it, before the first thread acquires the lock. This double-unregistration could lead to a WebAssembly CFI violation if a new WebAssembly module is loaded into the engine before the second unregistration occurs.

Recommendations For Wasmtime versions 19.0.0 through 20.0.0, upgrade to version 21.0.2 or later. For Wasmtime versions 21.0.0 through 21.0.1, upgrade to version 21.0.2 or later. For Wasmtime versions 22.0.0, upgrade to version 22.0.1 or later. For Wasmtime versions 23.0.0 through 23.0.2, upgrade to version 23.0.3 or later. For Wasmtime versions 24.0.0, upgrade to version 24.0.1 or later. For Wasmtime versions 25.0.0 through 25.0.1, upgrade to version 25.0.2 or later. As a temporary workaround, consider avoiding the creation and dropping of Wasmtime types on multiple threads concurrently.