HIGH🇵🇱 Wersja polska

CVE-2022-39393

CVSS 8.6v3.1pub. 2022-11-10upd. 2025-05-02

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2 and 1.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Bytecodealliance Wasmtime

    APP
    Bytecodealliance
    < 1.0.22.0.0 – 2.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-34987CRITICAL9.0PL ✓ten sam produkt

Wasmtime (Winch): ucieczka z sandboxa WebAssembly, dostęp do pamięci hosta

CVE-2026-34971CRITICAL9.0PL ✓ten sam produkt

Wasmtime Cranelift: ucieczka z sandbox przez błędną kompilację na aarch64

CVE-2023-26489CRITICAL9.9ten sam produkt

wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Craneli...

CVE-2022-24791HIGH8.1ten sam produkt

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnera...

CVE-2026-44216MEDIUM5.9ten sam produkt

Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2, and 44.0.1, Wasmtime's allocation logic ...