CVE-2022-39974

Root

Cause

The vulnerability resides in the op_Select_i32_srs function within wasm3/source/m3_exec.h at line 1078. During execution, the code attempts to dereference a pointer stored in the RCX register, which is observed to be 0x0 (null) in the provided GDB trace [1]. This null pointer dereference causes a segmentation fault (SIGSEGV), crashing the interpreter.

Exploitation

An attacker can exploit this issue by supplying a specially crafted WebAssembly module that triggers the vulnerable code path. No authentication or special privileges are required; the crash occurs simply when the module is loaded and executed by WASM3. The attack surface is broad because WASM3 is designed to run untrusted WebAssembly in various environments, including browsers, embedded systems, and server-side applications [2].

Impact

Successful exploitation results in a denial of service (DoS) condition, as the interpreter crashes and becomes unavailable. Since WASM3 is used as a library in multiple languages (Python, Rust, C/C++, etc.) [2], a crash can affect any application that embeds the runtime. The Python package pywasm3 is also affected, as noted in the PyPI advisory database [4].

Mitigation

As of the publication date, no official patch has been released. The WASM3 project has entered a minimal maintenance phase due to the maintainer's personal circumstances [2], so fixes may be delayed. Users are advised to avoid processing untrusted WebAssembly modules until a patch is available. Workarounds include sandboxing the interpreter or using alternative runtimes.