Main Vulnerability Database Vulnerabilities #VU127029

Use-after-free in Wasmtime - CVE-2022-24791

Published: March 31, 2022 / Updated: April 23, 2026

Vulnerability identifier: #VU127029

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-24791

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Wasmtime

Software vendor:
Bytecode Alliance

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to use-after-free in Wasmtime's handling of externref values when running Wasm with epoch interruption enabled. A local user can execute crafted Wasm code that uses externref values to execute arbitrary code.

Only configurations with epoch interruption enabled and the Wasm reference types proposal enabled are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gwc9-348x-qwv2
https://github.com/advisories/GHSA-gwc9-348x-qwv2

Use-after-free in Wasmtime - CVE-2022-24791

Description

Remediation

External links

Please verify you're human