crates.io package
wasmtime
pkg:cargo/wasmtime
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-51745 | — | < 24.0.2 | 24.0.2 | Nov 5, 2024 | Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su | ||
| CVE-2024-47813 | — | >= 19.0.0, < 21.0.2 | 21.0.2 | Oct 9, 2024 | Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi | ||
| CVE-2024-47763 | — | >= 12.0.0, < 21.0.2 | 21.0.2 | Oct 9, 2024 | Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or | ||
| CVE-2024-30266 | — | >= 19.0.0, < 19.0.1 | 19.0.1 | Apr 4, 2024 | wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this pan | ||
| CVE-2023-41880 | — | >= 10.0.0, < 10.0.2 | 10.0.2 | Sep 15, 2023 | Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x | ||
| CVE-2023-30624 | — | < 6.0.2 | 6.0.2 | Apr 27, 2023 | Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level iss | ||
| CVE-2023-26489 | — | >= 0.37.0, < 4.0.1 | 4.0.1 | Mar 8, 2023 | wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective add | ||
| CVE-2023-27477 | — | >= 1.0.0, < 4.0.1 | 4.0.1 | Mar 8, 2023 | wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of | ||
| CVE-2022-39394 | — | >= 2.0.0, < 2.0.2 | 2.0.2 | Nov 10, 2022 | Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the fun | ||
| CVE-2022-39393 | — | >= 2.0.0, < 2.0.2 | 2.0.2 | Nov 10, 2022 | Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visi | ||
| CVE-2022-39392 | — | >= 2.0.0, < 2.0.2 | 2.0.2 | Nov 10, 2022 | Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the vir | ||
| CVE-2022-31169 | — | < 0.38.2 | 0.38.2 | Jul 21, 2022 | Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. | ||
| CVE-2022-31146 | — | >= 0.37.0, < 0.38.2 | 0.38.2 | Jul 20, 2022 | Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC | ||
| CVE-2022-31104 | — | < 0.38.1 | 0.38.1 | Jun 27, 2022 | Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is no | ||
| CVE-2022-24791 | — | < 0.34.2 | 0.34.2 | Mar 31, 2022 | Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is d | ||
| CVE-2022-23636 | — | >= 0.34.0, < 0.34.1 | 0.34.1 | Feb 16, 2022 | Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an `externref` global will result in an | ||
| CVE-2021-39218 | — | >= 0.26.0, < 0.30.0 | 0.30.0 | Sep 17, 2021 | Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmt | ||
| CVE-2021-39219 | — | < 0.30.0 | 0.30.0 | Sep 17, 2021 | Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use | ||
| CVE-2021-39216 | — | < 0.30.0 | 0.30.0 | Sep 17, 2021 | Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s |
- CVE-2024-51745Nov 5, 2024affected < 24.0.2fixed 24.0.2
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su
- CVE-2024-47813Oct 9, 2024affected >= 19.0.0, < 21.0.2fixed 21.0.2
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi
- CVE-2024-47763Oct 9, 2024affected >= 12.0.0, < 21.0.2fixed 21.0.2
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or
- CVE-2024-30266Apr 4, 2024affected >= 19.0.0, < 19.0.1fixed 19.0.1
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this pan
- CVE-2023-41880Sep 15, 2023affected >= 10.0.0, < 10.0.2fixed 10.0.2
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only x
- CVE-2023-30624Apr 27, 2023affected < 6.0.2fixed 6.0.2
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level iss
- CVE-2023-26489Mar 8, 2023affected >= 0.37.0, < 4.0.1fixed 4.0.1
wasmtime is a fast and secure runtime for WebAssembly. In affected versions wasmtime's code generator, Cranelift, has a bug on x86_64 targets where address-mode computation mistakenly would calculate a 35-bit effective address instead of WebAssembly's defined 33-bit effective add
- CVE-2023-27477Mar 8, 2023affected >= 1.0.0, < 4.0.1fixed 4.0.1
wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of
- CVE-2022-39394Nov 10, 2022affected >= 2.0.0, < 2.0.2fixed 2.0.2
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the fun
- CVE-2022-39393Nov 10, 2022affected >= 2.0.0, < 2.0.2fixed 2.0.2
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visi
- CVE-2022-39392Nov 10, 2022affected >= 2.0.0, < 2.0.2fixed 2.0.2
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the vir
- CVE-2022-31169Jul 21, 2022affected < 0.38.2fixed 0.38.2
Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2.
- CVE-2022-31146Jul 20, 2022affected >= 0.37.0, < 0.38.2fixed 0.38.2
Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC
- CVE-2022-31104Jun 27, 2022affected < 0.38.1fixed 0.38.1
Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is no
- CVE-2022-24791Mar 31, 2022affected < 0.34.2fixed 0.34.2
Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is d
- CVE-2022-23636Feb 16, 2022affected >= 0.34.0, < 0.34.1fixed 0.34.1
Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an `externref` global will result in an
- CVE-2021-39218Sep 17, 2021affected >= 0.26.0, < 0.30.0fixed 0.30.0
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmt
- CVE-2021-39219Sep 17, 2021affected < 0.30.0fixed 0.30.0
Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use
- CVE-2021-39216Sep 17, 2021affected < 0.30.0fixed 0.30.0
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s
Page 2 of 2