Vulnerability-Lookup

CVE-2024-47813 (GCVE-0-2024-47813)

Vulnerability from cvelistv5 – Published: 2024-10-09 18:07 – Updated: 2024-10-09 19:43

Title

Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations

Summary

Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.

Severity ?

2.9 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

CWE

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Assigner

GitHub_M

References

URL

Tags

	https://github.com/bytecodealliance/wasmtime/secu…	x_refsource_CONFIRM
	https://github.com/bytecodealliance/wasmtime/pull/7969	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	bytecodealliance	wasmtime	Affected: >= 19.0.0, < 21.0.2 Affected: >= 22.0.0, < 22.0.1 Affected: >= 23.0.0, < 23.0.3 Affected: >= 24.0.0, < 24.0.1 Affected: >= 25.0.0, < 25.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47813",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-09T19:43:41.511742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-09T19:43:53.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 19.0.0, \u003c 21.0.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 22.0.0, \u003c 22.0.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 23.0.0, \u003c 23.0.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 24.0.0, \u003c 24.0.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 25.0.0, \u003c 25.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`\u0027s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly\u0027s control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the \"References\" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see \"References\" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly\u0027s `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime\u0027s internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it\u0027s been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry\u0027s registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19\u0027s development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-09T18:07:49.686Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/pull/7969",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/pull/7969"
        }
      ],
      "source": {
        "advisory": "GHSA-7qmx-3fpx-r45m",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47813",
    "datePublished": "2024-10-09T18:07:49.686Z",
    "dateReserved": "2024-10-03T14:06:12.637Z",
    "dateUpdated": "2024-10-09T19:43:53.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47813\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-09T19:43:41.511742Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-09T19:43:46.457Z\"}}], \"cna\": {\"title\": \"Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations\", \"source\": {\"advisory\": \"GHSA-7qmx-3fpx-r45m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.9, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bytecodealliance\", \"product\": \"wasmtime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 19.0.0, \u003c 21.0.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 22.0.0, \u003c 22.0.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 23.0.0, \u003c 23.0.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 24.0.0, \u003c 24.0.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 25.0.0, \u003c 25.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m\", \"name\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/pull/7969\", \"name\": \"https://github.com/bytecodealliance/wasmtime/pull/7969\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`\u0027s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly\u0027s control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the \\\"References\\\" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see \\\"References\\\" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly\u0027s `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime\u0027s internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it\u0027s been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry\u0027s registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19\u0027s development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-367\", \"description\": \"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-09T18:07:49.686Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47813\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-09T19:43:53.508Z\", \"dateReserved\": \"2024-10-03T14:06:12.637Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-10-09T18:07:49.686Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

cve-2024-47813

Vulnerability from osv_rustsec

Published

2024-10-03 12:00

Modified

2025-05-02 08:23

Summary

Race condition could lead to WebAssembly control-flow integrity and type safety violations

Details

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m. For more information see the GitHub-hosted security advisory.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime",
        "purl": "pkg:cargo/wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "21.0.2"
            },
            {
              "introduced": "22.0.0"
            },
            {
              "fixed": "22.0.1"
            },
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.0.3"
            },
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.0.1"
            },
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2024-47813",
    "GHSA-7qmx-3fpx-r45m"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "This is an entry in the RustSec database for the Wasmtime security advisory\nlocated at\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m.\nFor more information see the GitHub-hosted security advisory.",
  "id": "RUSTSEC-2024-0439",
  "modified": "2025-05-02T08:23:27Z",
  "published": "2024-10-03T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0439.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Race condition could lead to WebAssembly control-flow integrity and type safety violations"
}

GHSA-7QMX-3FPX-R45M

Vulnerability from github – Published: 2024-10-09 19:14 – Updated: 2025-05-02 12:54

Summary

Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations

Details

Impact

Under certain concurrent event orderings, a wasmtime::Engine's internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use wasmtime::Engine across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected.

Reproducing this bug requires creating and dropping multiple type instances (such as wasmtime::FuncType or wasmtime::ArrayType) concurrently on multiple threads, where all types are associated with the same wasmtime::Engine. Wasm guests cannot trigger this bug. See the "References" section below for a list of Wasmtime types-related APIs that are affected.

Wasmtime maintains an internal registry of types within a wasmtime::Engine and an engine is shareable across threads. Types can be created and referenced through creation of a wasmtime::Module, creation of wasmtime::FuncType, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's call_indirect function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state.

Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered.

Thread A	Thread B
`acquire(type registry lock)`
	`decref(E) --> 0`
	`block_on(type registry lock)`
`register(E') == incref(E) --> 1`
`release(type registry lock)`
`decref(E) --> 0`
`acquire(type registry lock)`
`unregister(E)`
`release(type registry lock)`
	`acquire(type registry lock)`
	`unregister(E)`

This double-unregistration could then lead to a WebAssembly CFI violation under the following conditions: a new WebAssembly module X was loaded into the engine before the second, buggy unregistration occurs; X defined a function type F that was allocated in the same type registry slot where the original entry was allocated; the second, buggy unregistration incorrectly unregistered F; another new WebAssembly module Y was loaded into the engine; Y defined a function type G, different from F, but which is also allocated in the same type registry slot; a funcref of type G is created, either by the host or by Wasm; that funcref is passed to a WebAssembly instance of module X; that instance performs a call_indirect to that funcref; the call_indirect's dynamic type check, which preserves CFI, could incorrectly pass in this case, because F and G were assigned the same type registry slot. This would, ultimately, allow calling a function with too many, too few, or wrongly-typed arguments, violating CFI and type safety.

We were not able to reproduce this CFI violation in a vanilla Wasmtime build, although it remains theoretically possible. However, by modifying Wasmtime's source code to make losing the races described above more likely (by disabling certain assertions, inserting panic catches, and adding retry loops in a few places if we did not lose the race) we were able to incorrectly get a funcref to pass a type check that it should have failed, which would allow the CFI violation.

Patches

This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug:

21.0.2
22.0.1
23.0.3
24.0.1
25.0.2

Workarounds

If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.

References

The following APIs create or drop types, and therefore are affected by this race condition if performed on multiple threads concurrently and are all associated with the same wasmtime::Engine:

wasmtime::FuncType::new
Also reachable from creation of wasmtime::Func
Also reachable from wasmtime::Linker::func_*
wasmtime::ArrayType::new
wasmtime::StructType::new
wasmtime::Func::ty
wasmtime::Global::ty
wasmtime::Table::ty
wasmtime::Extern::ty
wasmtime::Export::ty
wasmtime::UnknownImportError::ty
wasmtime::ImportType::ty
wasmtime::ExportType::ty
wasmtime::Val::ty
wasmtime::Ref::ty
wasmtime::AnyRef::ty
wasmtime::EqRef::ty
wasmtime::ArrayRef::ty
wasmtime::StructRef::ty
Dropping a wasmtime::FuncType
Dropping a wasmtime::ArrayType
Dropping a wasmtime::StructType
Dropping a wasmtime::ExternType
Dropping a wasmtime::GlobalType
Dropping a wasmtime::TableType
Dropping a wasmtime::ValType
Dropping a wasmtime::RefType
Dropping a wasmtime::HeapType
Dropping a wasmtime::UnknownImportError
Dropping a wasmtime::Linker

The change which introduced this bug was #7969

Severity ?

2.9 (Low)


                  
                    CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

1.0 (Low)


                  
                    CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "21.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0"
            },
            {
              "fixed": "22.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-09T19:14:35Z",
    "nvd_published_at": "2024-10-09T18:15:09Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nUnder certain concurrent event orderings, a `wasmtime::Engine`\u0027s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly\u0027s control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected.\n\nReproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the \"References\" section below for a list of Wasmtime types-related APIs that are affected.\n\nWasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see \"References\" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly\u0027s `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state.\n\nWasmtime\u0027s internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it\u0027s been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry\u0027s registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered.\n\n| Thread A                          | Thread B                       |\n|-----------------------------------|--------------------------------|\n| `acquire(type registry lock)`     |                                |\n|                                   | `decref(E) --\u003e 0`              |\n|                                   | `block_on(type registry lock)` |\n| `register(E\u0027) == incref(E) --\u003e 1` |                                |\n| `release(type registry lock)`     |                                |\n| `decref(E) --\u003e 0`                 |                                |\n| `acquire(type registry lock)`     |                                |\n| `unregister(E)`                   |                                |\n| `release(type registry lock)`     |                                |\n|                                   | `acquire(type registry lock)`  |\n|                                   | `unregister(E)`          |\n\n\nThis double-unregistration could then lead to a WebAssembly CFI violation under the following conditions: a new WebAssembly module `X` was loaded into the engine before the second, buggy unregistration occurs; `X` defined a function type `F` that was allocated in the same type registry slot where the original entry was allocated; the second, buggy unregistration incorrectly unregistered `F`; another new WebAssembly module `Y` was loaded into the engine; `Y` defined a function type `G`, different from `F`, but which is also allocated in the same type registry slot; a `funcref` of type `G` is created, either by the host or by Wasm; that `funcref` is passed to a WebAssembly instance of module `X`; that instance performs a `call_indirect` to that `funcref`; the `call_indirect`\u0027s dynamic type check, which preserves CFI, could incorrectly pass in this case, because `F` and `G` were assigned the same type registry slot. This would, ultimately, allow calling a function with too many, too few, or wrongly-typed arguments, violating CFI and type safety.\n\nWe were not able to reproduce this CFI violation in a vanilla Wasmtime build, although it remains theoretically possible. However, by modifying Wasmtime\u0027s source code to make losing the races described above more likely (by disabling certain assertions, inserting panic catches, and adding retry loops in a few places if we did *not* lose the race) we were able to incorrectly get a `funcref` to pass a type check that it should have failed, which would allow the CFI violation.\n\n### Patches\n\nThis bug was originally introduced in Wasmtime 19\u0027s development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug:\n\n* 21.0.2\n* 22.0.1\n* 23.0.3\n* 24.0.1\n* 25.0.2\n\n### Workarounds\n\nIf your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release. \n\n### References\n\nThe following APIs create or drop types, and therefore are affected by this race condition if performed on multiple threads concurrently and are all associated with the same `wasmtime::Engine`:\n\n* [`wasmtime::FuncType::new`](https://docs.rs/wasmtime/latest/wasmtime/struct.FuncType.html#method.new)\n  * Also reachable from creation of [`wasmtime::Func`](https://docs.rs/wasmtime/latest/wasmtime/struct.Func.html)\n  * Also reachable from [`wasmtime::Linker::func_*`](https://docs.rs/wasmtime/latest/wasmtime/struct.Linker.html#method.func_new)\n* [`wasmtime::ArrayType::new`](https://docs.rs/wasmtime/latest/wasmtime/struct.ArrayType.html#method.new)\n* [`wasmtime::StructType::new`](https://docs.rs/wasmtime/latest/wasmtime/struct.StructType.html#method.new)\n* [`wasmtime::Func::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.Func.html#method.ty)\n* [`wasmtime::Global::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.Global.html#method.ty)\n* [`wasmtime::Table::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.Table.html#method.ty)\n* [`wasmtime::Extern::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.Extern.html#method.ty)\n* [`wasmtime::Export::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.Export.html#method.ty)\n* [`wasmtime::UnknownImportError::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.UnknownImportError.html#method.ty)\n* [`wasmtime::ImportType::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.ImportType.html#method.ty)\n* [`wasmtime::ExportType::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.ExportType.html#method.ty)\n* [`wasmtime::Val::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.Val.html#method.ty)\n* [`wasmtime::Ref::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.Ref.html#method.ty)\n* [`wasmtime::AnyRef::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.AnyRef.html#method.ty)\n* [`wasmtime::EqRef::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.EqRef.html#method.ty)\n* [`wasmtime::ArrayRef::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.ArrayRef.html#method.ty)\n* [`wasmtime::StructRef::ty`](https://docs.rs/wasmtime/latest/wasmtime/struct.StructRef.html#method.ty)\n* Dropping a [`wasmtime::FuncType`](https://docs.rs/wasmtime/latest/wasmtime/struct.FuncType.html)\n* Dropping a [`wasmtime::ArrayType`](https://docs.rs/wasmtime/latest/wasmtime/struct.ArrayType.html)\n* Dropping a [`wasmtime::StructType`](https://docs.rs/wasmtime/latest/wasmtime/struct.StructType.html)\n* Dropping a [`wasmtime::ExternType`](https://docs.rs/wasmtime/latest/wasmtime/struct.ExternType.html)\n* Dropping a [`wasmtime::GlobalType`](https://docs.rs/wasmtime/latest/wasmtime/struct.GlobalType.html)\n* Dropping a [`wasmtime::TableType`](https://docs.rs/wasmtime/latest/wasmtime/struct.TableType.html)\n* Dropping a [`wasmtime::ValType`](https://docs.rs/wasmtime/latest/wasmtime/struct.ValType.html)\n* Dropping a [`wasmtime::RefType`](https://docs.rs/wasmtime/latest/wasmtime/struct.RefType.html)\n* Dropping a [`wasmtime::HeapType`](https://docs.rs/wasmtime/latest/wasmtime/struct.HeapType.html)\n* Dropping a [`wasmtime::UnknownImportError`](https://docs.rs/wasmtime/latest/wasmtime/struct.UnknownImportError.html)\n* Dropping a [`wasmtime::Linker`](https://docs.rs/wasmtime/latest/wasmtime/struct.Linker.html)\n\nThe change which introduced this bug was [#7969](https://github.com/bytecodealliance/wasmtime/pull/7969)",
  "id": "GHSA-7qmx-3fpx-r45m",
  "modified": "2025-05-02T12:54:18Z",
  "published": "2024-10-09T19:14:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/pull/7969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/commit/0ebe54d05f0e1f6c64b7c8bb48c9e9f6c95cacba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0439.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations"
}

FKIE_CVE-2024-47813

Vulnerability from fkie_nvd - Published: 2024-10-09 18:15 - Updated: 2025-09-29 13:11

Severity ?

2.9 (Low) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/bytecodealliance/wasmtime/pull/7969	Product
	security-advisories@github.com	https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m	Third Party Advisory

Impacted products

Vendor	Product	Version
bytecodealliance	wasmtime	19.0.0
bytecodealliance	wasmtime	19.0.1
bytecodealliance	wasmtime	19.0.2
bytecodealliance	wasmtime	20.0.0
bytecodealliance	wasmtime	20.0.1
bytecodealliance	wasmtime	20.0.2
bytecodealliance	wasmtime	21.0.0
bytecodealliance	wasmtime	21.0.1
bytecodealliance	wasmtime	22.0.0
bytecodealliance	wasmtime	23.0.0
bytecodealliance	wasmtime	23.0.1
bytecodealliance	wasmtime	23.0.2
bytecodealliance	wasmtime	24.0.0
bytecodealliance	wasmtime	25.0.0
bytecodealliance	wasmtime	25.0.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:19.0.0:*:*:*:*:rust:*:*",
              "matchCriteriaId": "9C2CCC83-D074-46EA-9164-0B7C1B12FDCA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:19.0.1:*:*:*:*:rust:*:*",
              "matchCriteriaId": "2B0BCC5C-5794-4048-9C57-1D90936E7CDE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:19.0.2:*:*:*:*:rust:*:*",
              "matchCriteriaId": "5256B82A-4B98-4B4F-B4CA-D5AFCFDD07A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:20.0.0:*:*:*:*:rust:*:*",
              "matchCriteriaId": "AB1089C6-2659-49D1-8003-E997B0BE8498",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:20.0.1:*:*:*:*:rust:*:*",
              "matchCriteriaId": "3E504E62-8A66-472D-9D32-72FBD444B619",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:20.0.2:*:*:*:*:rust:*:*",
              "matchCriteriaId": "9A5B89ED-2D52-4988-86F7-91F0A251F8E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:21.0.0:*:*:*:*:rust:*:*",
              "matchCriteriaId": "17021694-8315-415D-B8DF-4DC793CDB048",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:21.0.1:*:*:*:*:rust:*:*",
              "matchCriteriaId": "ABFC1FF6-EF52-4844-A149-6A99D7885D83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:22.0.0:*:*:*:*:rust:*:*",
              "matchCriteriaId": "81EB9A7A-B457-4528-94A9-A6FECD263639",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:23.0.0:*:*:*:*:rust:*:*",
              "matchCriteriaId": "4382AEDF-BECB-4620-9B83-1607BC9ACC19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:23.0.1:*:*:*:*:rust:*:*",
              "matchCriteriaId": "C096E57B-3199-4767-BD6A-9029B8FC82F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:23.0.2:*:*:*:*:rust:*:*",
              "matchCriteriaId": "B012EBF7-BAE7-4170-AE5B-334E9B24FA0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:24.0.0:*:*:*:*:rust:*:*",
              "matchCriteriaId": "F7D05338-DE31-40CB-9D40-5761BF5E51F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:25.0.0:*:*:*:*:rust:*:*",
              "matchCriteriaId": "93D6A473-5987-4AFD-B25F-21A324A65305",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:25.0.1:*:*:*:*:rust:*:*",
              "matchCriteriaId": "3FA90264-0D7B-4DAE-BE90-A96A42C7B2BB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`\u0027s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly\u0027s control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the \"References\" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see \"References\" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly\u0027s `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime\u0027s internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it\u0027s been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry\u0027s registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19\u0027s development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release."
    },
    {
      "lang": "es",
      "value": "Wasmtime es un entorno de ejecuci\u00f3n de c\u00f3digo abierto para WebAssembly. Bajo ciertas \u00f3rdenes de eventos concurrentes, el registro de tipos interno de `wasmtime::Engine` era susceptible a errores de doble anulaci\u00f3n de registro debido a una condici\u00f3n de ejecuci\u00f3n, lo que provocaba p\u00e1nicos y, potencialmente, corrupci\u00f3n del registro de tipos. Esa corrupci\u00f3n del registro podr\u00eda, despu\u00e9s de una secuencia adicional y particular de eventos concurrentes, provocar violaciones de la integridad del flujo de control (CFI) y la seguridad de tipos de WebAssembly. Los usuarios que no usan `wasmtime::Engine` en varios subprocesos no se ven afectados. Los usuarios que solo crean nuevos m\u00f3dulos en varios subprocesos a lo largo del tiempo tampoco se ven afectados. Para reproducir este error es necesario crear y eliminar varias instancias de tipo (como `wasmtime::FuncType` o `wasmtime::ArrayType`) simult\u00e1neamente en varios subprocesos, donde todos los tipos est\u00e1n asociados con el mismo `wasmtime::Engine`. **Los invitados de Wasm no pueden activar este error.** Consulte la secci\u00f3n \"Referencias\" a continuaci\u00f3n para obtener una lista de las API relacionadas con los tipos de Wasmtime que se ven afectadas. Wasmtime mantiene un registro interno de tipos dentro de un `wasmtime::Engine` y un motor se puede compartir entre subprocesos. Los tipos se pueden crear y referenciar mediante la creaci\u00f3n de un `wasmtime::Module`, la creaci\u00f3n de `wasmtime::FuncType` o una serie de otras API donde el host crea una funci\u00f3n (consulte \"Referencias\" a continuaci\u00f3n). Cada uno de estos casos interact\u00faa con un motor para deduplicar la informaci\u00f3n de tipo y administrar los \u00edndices de tipo que se utilizan para implementar las comprobaciones de tipo en la funci\u00f3n `call_indirect` de WebAssembly, por ejemplo. Este error es una condici\u00f3n de ejecuci\u00f3n en esta gesti\u00f3n donde el registro de tipo interno podr\u00eda estar da\u00f1ado para activar una aserci\u00f3n o contener un estado no v\u00e1lido. La representaci\u00f3n interna de Wasmtime de un tipo tiene tipos individuales (por ejemplo, uno por funci\u00f3n de host) que mantienen un recuento de registro de cu\u00e1ntas veces se ha utilizado. Los tipos tambi\u00e9n tienen un estado dentro de un motor detr\u00e1s de un bloqueo de lectura y escritura, como informaci\u00f3n de b\u00fasqueda o deduplicaci\u00f3n. La ejecuci\u00f3n aqu\u00ed es un error de tiempo de verificaci\u00f3n versus tiempo de uso (TOCTOU) donde un hilo disminuye at\u00f3micamente el recuento de registros de una entrada de tipo, observa cero registros y luego adquiere un bloqueo para anular el registro de esa entrada. Sin embargo, entre el momento en que este primer hilo observ\u00f3 el recuento de registros cero y el momento en que adquiere ese bloqueo, otro hilo podr\u00eda realizar la siguiente secuencia de eventos: volver a registrar otra copia del tipo, que deduplica esa misma entrada, resucit\u00e1ndola e incrementando su recuento de registros; luego, descartar el tipo y disminuir su recuento de registros; observar que el recuento de registros ahora es cero; adquirir el bloqueo de registro de tipo; y finalmente anular el registro del tipo. Ahora, cuando el hilo original finalmente adquiere el bloqueo y anula el registro de la entrada, es la segunda vez que se anula el registro de esta entrada. Este error se introdujo originalmente en el desarrollo de la propuesta de recolecci\u00f3n de elementos no utilizados de WebAssembly en Wasmtime 19. Sin embargo, este error afecta a los usuarios que no utilizan la propuesta de recolecci\u00f3n de elementos no utilizados y afecta a Wasmtime en su configuraci\u00f3n predeterminada incluso cuando la propuesta de recolecci\u00f3n de elementos no utilizados est\u00e1 deshabilitada. Los usuarios de Wasmtime que utilizan la versi\u00f3n 19.0.0 y posteriores se ven afectados por este problema. Hemos publicado las siguientes versiones de Wasmtime, todas las cuales tienen una soluci\u00f3n para este error: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. --- truncada ---"
    }
  ],
  "id": "CVE-2024-47813",
  "lastModified": "2025-09-29T13:11:34.543",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 2.9,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.3,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-09T18:15:09.120",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/pull/7969"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-367"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47813 (GCVE-0-2024-47813)

cve-2024-47813

Vulnerability from osv_rustsec

GHSA-7QMX-3FPX-R45M

Impact

Patches

Workarounds

References

FKIE_CVE-2024-47813

Tags

Sightings

Nomenclature