Miggo Logo

CVE-2022-31146: Wasmtime vulnerable to Use After Free with `externref`s

6.4

CVSS Score
3.1

Basic Information

EPSS Score
0.33838%
Published
7/20/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
wasmtimerust>= 0.37.0, < 0.38.20.38.2
cranelift-codegenrust>= 0.84.0, < 0.85.20.85.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper tracking of reference-type values during code generation. The commit diff shows critical changes to constant loading (load_constant64_full) and immediate value handling (imm rules) in the AArch64 backend. These functions were modified to add ImmExtend parameter handling, which is crucial for maintaining GC metadata. The original vulnerable versions lacked proper sign/zero extension tracking for reference-bearing values, causing regalloc2 to incorrectly elide stack maps. The patch explicitly adds extension type handling and proper value masking, confirming these were the problematic areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * *u* in W*smtim*'s *o** **n*r*tor, *r*n*li*t, w**r* *un*tions usin* r***r*n** typ*s m*y ** in*orr**tly missin* m*t***t* r*quir** *or runtim* **r**** *oll**tion (**). T*is m**ns t**t i* * ** **pp*ns *t runtim* t**n t** *oll**tor will mist*k*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r tr**kin* o* r***r*n**-typ* v*lu*s *urin* *o** **n*r*tion. T** *ommit *i** s*ows *riti**l ***n**s to *onst*nt lo**in* (lo**_*onst*nt**_*ull) *n* imm**i*t* v*lu* **n*lin* (imm rul*s) in t** **r**** ***k*n*. T**s*
CVE-2022-31146: Wasmtime GC Use After Free Bug | Miggo