Use-after-free in Wasmtime - CVE-2022-24791

 

Use-after-free in Wasmtime - CVE-2022-24791

Published: March 31, 2022 / Updated: April 23, 2026


Vulnerability identifier: #VU127029
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-24791
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Bytecode Alliance
Affected software:
Wasmtime

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to use-after-free in Wasmtime's handling of externref values when running Wasm with epoch interruption enabled. A local user can execute crafted Wasm code that uses externref values to execute arbitrary code.

Only configurations with epoch interruption enabled and the Wasm reference types proposal enabled are vulnerable.


How to mitigate CVE-2022-24791

Install security update from vendor's website.

Sources