3.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39394

CVE-2022-39394: wasmtime_trap_code C API function has out of bounds write vulnerability

Impact

There is a bug in Wasmtime's C API implementation where the definition of the wasmtime_trap_code does not match its declared signature in the wasmtime/trap.h header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller.

Patches

This bug has been patched and users should upgrade to Wasmtime 2.0.2.

Workarounds

This can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling wasmtime_trap_code. Users of the wasmtime crate are not affected by this issue, only users of the C API function wasmtime_trap_code are affected.

References

For more information

If you have any questions or comments about this advisory:

Reach out to us on the Bytecode Alliance Zulip chat
Open an issue in the bytecodealliance/wasmtime repository

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39394

CVE-2022-39394:

3.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wasmtime	rust	>= 2.0.0, < 2.0.2	2.0.2
wasmtime	rust	< 1.0.2	1.0.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the type mismatch in the wasmtime_trap_code function between its C API declaration (expecting a 1-byte buffer) and Rust implementation (writing a 4-byte i32). The commit diff shows the parameter type was changed from &mut i32 to &mut u8 in trap.rs, confirming the root cause. All advisories and CVE descriptions explicitly reference this function as the vulnerable component. The out-of-bounds write occurs when the 4-byte write operation exceeds the caller's 1-byte buffer allocation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39394: wasmtime_trap_code C API function has out of bounds write vulnerability

Impact

Patches

Workarounds

References

For more information

CVE-2022-39394:

3.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2022-39394: wasmtime_trap_code C API function has out of bounds write vulnerability

Impact

Patches

Workarounds

References

For more information

Technical Details

3.8

3.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI