SB2026041012 - Multiple vulnerabilities in Wasmtime
Published: April 10, 2026 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2022-31146)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to trigger a use-after-free.
The vulnerability exists due to use-after-free in Cranelift code generator when processing WebAssembly modules using reference types and garbage collection occurs during active Wasm stack frames. A remote user can supply a WebAssembly module that uses non-null externref values and triggers garbage collection to trigger a use-after-free.
Exploitation requires a Wasmtime host to pass a non-null externref value to a WebAssembly module.
2) Incorrect calculation (CVE-ID: CVE-2022-31169)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause incorrect computation results within the WebAssembly sandbox.
The vulnerability exists due to improper handling of sign and zero extension in Cranelift code generation for division operations when compiling WebAssembly programs for AArch64 targets. A remote attacker can execute a specially crafted WebAssembly program to cause incorrect computation results within the WebAssembly sandbox.
Only AArch64 targets are affected.
Remediation
Install update from vendor's website.