6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31146

GHSA ID

GHSA-5fhj-g3p3-pq9g

EPSS Score

0.33838%

CWE

CWE-416

Published

7/20/2022

Updated

1/27/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31146

CVE-2022-31146: Wasmtime vulnerable to Use After Free with `externref`s

There is a bug in Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection (GC). This means that if a GC happens at runtime then the collector will mistakenly think some Wasm stack frames do not have live references to garbage collected values and therefore reclaim and deallocate them. The function can then subsequently continue to use the values, leading later to use-after-free bugs. This bug was introduced in Cranelift's migration to the regalloc2 register allocator in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2.

Mitigations for this issue can be achieved by doing one of:

Disabling the reference types proposal by passing false to wasmtime::Config::wasm_reference_types.
Downgrading to Wasmtime 0.36.0 or prior.

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31146

GHSA ID

GHSA-5fhj-g3p3-pq9g

EPSS Score

0.33838%

CWE

CWE-416

Published

7/20/2022

Updated

1/27/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wasmtime	rust	>= 0.37.0, < 0.38.2	0.38.2
cranelift-codegen	rust	>= 0.84.0, < 0.85.2	0.85.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper tracking of reference-type values during code generation. The commit diff shows critical changes to constant loading (load_constant64_full) and immediate value handling (imm rules) in the AArch64 backend. These functions were modified to add ImmExtend parameter handling, which is crucial for maintaining GC metadata. The original vulnerable versions lacked proper sign/zero extension tracking for reference-bearing values, causing regalloc2 to incorrectly elide stack maps. The patch explicitly adds extension type handling and proper value masking, confirming these were the problematic areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * *u* in W*smtim*'s *o** **n*r*tor, *r*n*li*t, w**r* *un*tions usin* r***r*n** typ*s m*y ** in*orr**tly missin* m*t***t* r*quir** *or runtim* **r**** *oll**tion (**). T*is m**ns t**t i* * ** **pp*ns *t runtim* t**n t** *oll**tor will mist*k*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r tr**kin* o* r***r*n**-typ* v*lu*s *urin* *o** **n*r*tion. T** *ommit *i** s*ows *riti**l ***n**s to *onst*nt lo**in* (lo**_*onst*nt**_*ull) *n* imm**i*t* v*lu* **n*lin* (imm rul*s) in t** **r**** ***k*n*. T**s*

6.4

Basic Information

Concerned about an active attack path?

CVE-2022-31146: Wasmtime vulnerable to Use After Free with `externref`s

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI