CVE-2022-23636 in Wasmtime
Summary
by MITRE • 02/17/2022
Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an `externref` global will result in an invalid drop of a `VMExternRef` via an uninitialized pointer. A number of conditions listed in the GitHub Security Advisory must be true in order for an instance to be vulnerable to this issue. Maintainers believe that the effective impact of this bug is relatively small because the usage of `externref` is still uncommon and without a resource limiter configured on the `Store`, which is not the default configuration, it is only possible to trigger the bug from an error returned by `mprotect` or `VirtualAlloc`. Note that on Linux with the `uffd` feature enabled, it is only possible to trigger the bug from a resource limiter as the call to `mprotect` is skipped. The bug has been fixed in 0.34.1 and 0.33.1 and users are encouraged to upgrade as soon as possible. If it is not possible to upgrade to version 0.34.1 or 0.33.1 of the `wasmtime` crate, it is recommend that support for the reference types proposal be disabled by passing `false` to `Config::wasm_reference_types`. Doing so will prevent modules that use `externref` from being loaded entirely.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2022
The vulnerability CVE-2022-23636 affects Wasmtime, an open source runtime for WebAssembly and WASI, specifically impacting versions prior to 0.34.1 and 0.33.1. This issue resides within the pooling instance allocator component of Wasmtime's runtime environment, where a critical flaw exists in how the system handles module instantiation failures involving externref globals. The vulnerability manifests when a module that defines an externref global fails to instantiate properly, leading to an invalid drop operation of a VMExternRef through an uninitialized pointer. This represents a classic use-after-free scenario that can result in memory corruption and potentially arbitrary code execution within the runtime environment.
The technical exploitation conditions for this vulnerability are quite restrictive, as noted in the GitHub Security Advisory. Multiple prerequisites must be met for an attacker to successfully trigger the bug, including specific runtime configurations and environmental factors. The vulnerability's impact is considered relatively limited due to the uncommon usage of externref in practical WebAssembly modules. Without a resource limiter configured on the Store - which is not the default configuration - the bug can only be triggered by errors returned from system calls like mprotect or VirtualAlloc. This significantly narrows the attack surface, as resource limiters are not enabled by default in Wasmtime deployments, making successful exploitation dependent on specific misconfigurations.
On Linux systems with the uffd feature enabled, the attack surface becomes even more constrained since the mprotect call is completely skipped, requiring the presence of a resource limiter to even attempt exploitation. The fix implemented in versions 0.34.1 and 0.33.1 addresses the core issue by properly handling the cleanup of VMExternRef objects when instantiation failures occur. This remediation ensures that uninitialized pointers are not dereferenced during the drop operation, preventing the memory corruption that could lead to privilege escalation or denial of service conditions. The vulnerability maps to CWE-416, which describes the use of freed memory, and could potentially align with ATT&CK techniques involving privilege escalation or code execution through memory corruption vulnerabilities. Organizations should prioritize upgrading to the patched versions, but as a temporary mitigation, disabling reference types support through Config::wasm_reference_types with a false parameter provides an effective workaround that prevents any modules using externref from being loaded into the runtime environment, thereby eliminating the risk entirely while maintaining system functionality.