CVE-2022-31146

Use After Free in Wasmtime

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd, leading later to a use-after-free. This bug was introduced in the migration to the `regalloc2` register allocator that occurred in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types` or downgrading to Wasmtime 0.36.0 or prior.

Se presenta un error en el generador de código de Wasmtime, Cranelift, en el que las funciones que usan tipos de referencia pueden carecer incorrectamente de los metadatos necesarios para la recolección de basura en tiempo de ejecución. Esto significa que si es producida una GC en tiempo de ejecución, el pase de GC pensará erróneamente que estas funciones no presentan referencias vivas a los valores de la GC, reclamándolos y reasignándolos. La función continuará entonces usando los valores asumiendo que no han sido GC'd, conllevando más tarde a un uso de memoria previamente liberada. Este bug fue introducido en la migración al asignador de registros "regalloc2" que ocurrió en Wasmtime versión 0.37.0 del 20-05-2022. Este bug ha sido parcheado y los usuarios deberían actualizar a Wasmtime versión 0.38.2. La mitigación de este problema puede lograrse al hacer una de las siguientes cosas: * Deshabilitar la propuesta de tipos de referencia pasando "false" a ["wasmtime::Config::wasm_reference_types"](https://docs.rs/wasmtime/0.38.0/wasmtime/struct.Config.html#method.wasm_reference_types). * Desactualizar a Wasmtime versión 0.36.0 o anterior

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-07-20 CVE Published
2024-06-05 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (3)

URL	Tag	Source
https://github.com/WebAssembly/reference-types	Third Party Advisory
https://github.com/bytecodealliance/wasmtime	Product
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-5fhj-g3p3-pq9g	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bytecodealliance Search vendor "Bytecodealliance"		Cranelift-codegen Search vendor "Bytecodealliance" for product "Cranelift-codegen"				>= 0.84.0 < 0.85.2 Search vendor "Bytecodealliance" for product "Cranelift-codegen" and version " >= 0.84.0 < 0.85.2"		rust		Affected
Bytecodealliance Search vendor "Bytecodealliance"		Wasmtime Search vendor "Bytecodealliance" for product "Wasmtime"				>= 0.37.0 < 0.38.2 Search vendor "Bytecodealliance" for product "Wasmtime" and version " >= 0.37.0 < 0.38.2"		rust		Affected