CVE-2022-43282 in wabt
Summary
by MITRE • 10/29/2022
wasm-interp v1.0.29 was discovered to contain an out-of-bounds read via the component OnReturnCallIndirectExpr->GetReturnCallDropKeepCount.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The vulnerability identified as CVE-2022-43282 affects wasm-interp version 1.0.29, a WebAssembly interpreter implementation that processes and executes WebAssembly modules. This particular flaw manifests as an out-of-bounds read condition within the component responsible for handling return call indirect expressions, specifically within the OnReturnCallIndirectExpr->GetReturnCallDropKeepCount method. The issue arises when the interpreter processes WebAssembly modules containing malformed or malicious return call indirect expressions that manipulate the drop and keep count parameters in ways that exceed allocated memory boundaries.
The technical root cause of this vulnerability stems from insufficient bounds checking within the WebAssembly interpreter's handling of indirect call operations. When processing return call indirect expressions, the interpreter fails to validate the drop and keep count values against the actual stack frame boundaries, allowing an attacker to craft WebAssembly modules that trigger memory access violations. This out-of-bounds read condition occurs because the GetReturnCallDropKeepCount function does not properly validate input parameters before using them to calculate memory offsets, potentially leading to information disclosure or system instability.
The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a critical security weakness that could enable attackers to extract sensitive information from the interpreter's memory space. An attacker who successfully exploits this vulnerability could potentially read adjacent memory regions containing stack data, configuration information, or other sensitive values that should remain protected. The nature of WebAssembly's sandboxing requirements means that such vulnerabilities in interpreters can undermine the security model, potentially allowing privilege escalation or information leakage that compromises the entire execution environment.
This vulnerability maps to CWE-129, which specifically addresses insufficient validation of length of input buffers, and aligns with ATT&CK technique T1059.007 for execution through WebAssembly. The flaw demonstrates a classic buffer over-read condition that can be exploited in environments where WebAssembly modules are executed with elevated privileges or where the interpreter serves as a gateway to sensitive systems. Security professionals should consider this vulnerability as part of broader WebAssembly security assessments, particularly in environments where untrusted code execution is permitted.
Mitigation strategies for CVE-2022-43282 require immediate patching of affected wasm-interp installations to version 1.0.30 or later, which includes proper bounds checking for the return call indirect expression handling. Organizations should also implement runtime monitoring to detect anomalous WebAssembly execution patterns and consider deploying WebAssembly interpreters in restricted environments with additional sandboxing measures. Additionally, input validation should be enhanced at multiple layers, including WebAssembly module validation and interpreter-level parameter checking, to prevent similar issues from occurring in other components of the execution pipeline.