CVE-2022-39392
CVE-2022-39392 is a medium-severity vulnerability in Bytecodealliance Wasmtime with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-125.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 1% (43rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-125
- Affected product: Bytecodealliance Wasmtime
- Published:
- Last modified:
Description
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories did not meet the compiler-required configuration requirements for safely executing WebAssembly modules. Wasmtime's default settings require virtual memory page faults to indicate that wasm reads/writes are out-of-bounds, but the pooling allocator's configuration would not create an appropriate virtual memory mapping for this meaning out of bounds reads/writes can successfully read/write memory unrelated to the wasm sandbox within range of the base address of the memory mapping created by the pooling allocator. This bug is not applicable with the default settings of the `wasmtime` crate. This bug can only be triggered by setting `InstanceLimits::memory_pages` to zero. This is expected to be a very rare configuration since this means that wasm modules cannot allocate any pages of linear memory. All wasm modules produced by all current toolchains are highly likely to use linear memory, so it's expected to be unlikely that this configuration is set to zero by any production embedding of Wasmtime. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by increasing the `memory_pages` allotment when configuring the pooling allocator to a value greater than zero. If an embedding wishes to still prevent memory from actually being used then the `Store::limiter` method can be used to dynamically disallow growth of memory beyond 0 bytes large. Note that the default `memory_pages` value is greater than zero.
Frequently asked questions
- What is CVE-2022-39392?
- Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories did not meet the compiler-required configuration requirements for safely executing WebAssembly modules. Wasmtime's default settings require virtual memory page faults to indicate that wasm reads/writes are out-of-bounds, but the pooling allocator's configuration would not create an appropriate virtual memory mapping for this meaning out of bounds reads/writes can successfully read/write memory unrelated to the wasm sandbox within range of the base address of the memory mapping created by the pooling allocator. This bug is not applicable with the default settings of the `wasmtime` crate. This bug can only be triggered by setting `InstanceLimits::memory_pages` to zero. This is expected to be a very rare configuration since this means that wasm modules cannot allocate any pages of linear memory. All wasm modules produced by all current toolchains are highly likely to use linear memory, so it's expected to be unlikely that this configuration is set to zero by any production embedding of Wasmtime. This bug has been patched and users should upgrade to Wasmtime 2.0.2. This bug can be worked around by increasing the `memory_pages` allotment when configuring the pooling allocator to a value greater than zero. If an embedding wishes to still prevent memory from actually being used then the `Store::limiter` method can be used to dynamically disallow growth of memory beyond 0 bytes large. Note that the default `memory_pages` value is greater than zero.
- How severe is CVE-2022-39392?
- CVE-2022-39392 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2022-39392 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-39392?
- CVE-2022-39392 affects Bytecodealliance Wasmtime. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-39392?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-39392 published?
- CVE-2022-39392 was published on 2022-11-10 and last updated on 2026-06-17.
References
- https://github.com/bytecodealliance/wasmtime/commit/e60c3742904ccbb3e26da201c9221c38a4981d72
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-44mr-8vmm-wjhg
Affected products (1)
- cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
More vulnerabilities in Bytecodealliance Wasmtime
- CVE-2024-51745 — Critical (CVSS 10.0): Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks…
- CVE-2026-34987 — Critical (CVSS 9.9): Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime with its Winch…
- CVE-2023-26489 — Critical (CVSS 9.9): wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a…
- CVE-2022-39393 — High (CVSS 8.6): Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's…
- CVE-2026-34941 — High (CVSS 8.1): Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability…
- CVE-2022-24791 — High (CVSS 8.1): Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in…
All CVEs affecting Bytecodealliance Wasmtime →
Other CWE-125 (Out-of-bounds Read) vulnerabilities
- CVE-2026-24826 — Critical (CVSS 10.0): Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read,…
- CVE-2024-22004 — Critical (CVSS 10.0): Due to length check, an attacker with privilege access on a Linux Nonsecure operating system can trigger a…
- CVE-2021-41556 — Critical (CVSS 10.0): sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that…
- CVE-2021-21777 — Critical (CVSS 10.0): An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer…
- CVE-2017-14451 — Critical (CVSS 10.0): An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A…
- CVE-2013-0767 — Critical (CVSS 10.0): The nsSVGPathElement::GetPathLengthScale function in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and…