CVE-2022-39393
Summary
| CVE | CVE-2022-39393 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-11-10 20:15:00 UTC |
| Updated | 2022-11-17 16:01:00 UTC |
| Description | Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`. |
Risk And Classification
Problem Types: CWE-212
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Bytecodealliance | Wasmtime | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Merge pull request from GHSA-wh6w-3828-g9qf · bytecodealliance/wasmtime@2614f2e · GitHub | MISC | github.com | |
| Data leakage between instances in the pooling allocator · Advisory · bytecodealliance/wasmtime · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.