CVE-2024-47763

Summary

CVE-2024-47763 is a denial-of-service vulnerability affecting Wasmtime, an open source WebAssembly runtime. This issue arises due to a runtime crash caused by tail calls in WebAssembly modules. Wasmtime, which first enabled tail calls by default in version 21.0.0, assumes there is always a WebAssembly frame on the stack during stack-walking, but this assumption is no longer valid with tail calls. As a result, an exported function that returns to an imported host function capturing a stack trace can trigger an internal assert and cause a Rust panic. This panic results in a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. This vulnerability can be exploited by a malicious WebAssembly module or component to cause a denial-of-service by crashing the host. Versions 21.0.2, 22.0.1, 23.0.3, 24.0.1, and 25.0.2 have been patched, while versions from 12.0.x to 20.0.x, which have tail call support but it's disabled by default, are not affected. Users can work around this vulnerability by disabling tail call support in Wasmtime.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.