CVE-2022-24791 is a use-after-free vulnerability (CWE-416) found in Wasmtime, a standalone Just-In-Time (JIT) runtime for WebAssembly (Wasm) developed by the Bytecode Alliance. Wasmtime leverages Cranelift as its code generator. The vulnerability arises specifically when Wasmtime is configured to run Wasm modules that utilize externrefs (external references) and have epoch interruption enabled. Epoch interruption is a feature designed to allow preemption of long-running Wasm code, but it is disabled by default. Similarly, the Wasm reference types proposal, which enables externrefs, is enabled by default but can be explicitly disabled to avoid this issue. The root cause lies in Cranelift's failure to emit stack maps correctly when safepoints occur inside "cold blocks"—blocks of code emitted at the end of compiled functions when epoch interruption is enabled. Cranelift expects to emit stack maps in the order blocks are defined, but cold blocks reorder emission, causing some stack maps to be skipped. Stack maps are essential for the garbage collector to identify live references on the stack. Missing stack maps lead Wasmtime's garbage collector to mistakenly reclaim live externrefs prematurely. After this erroneous reclamation, the Wasm code may continue to use these freed references, resulting in a use-after-free condition. This vulnerability affects Wasmtime versions prior to 0.34.2 and versions from 0.35.0 up to but not including 0.35.2. Patches addressing this issue have been released in versions 0.34.2 and 0.35.2. Users are strongly advised to upgrade to these versions. If upgrading is not feasible, mitigating the vulnerability is possible by disabling either the Wasm reference types proposal (config.wasm_reference_types(false)) or epoch interruption (config.epoch_interruption(false)). No known exploits have been reported in the wild, but the vulnerability poses a risk of memory corruption, which could lead to arbitrary code execution or denial of service depending on the context in which Wasmtime is used.

The use-after-free vulnerability in Wasmtime can have significant security implications for European organizations that rely on Wasmtime for running WebAssembly workloads, especially those enabling epoch interruption and using externrefs. Exploitation could lead to memory corruption, potentially allowing attackers to execute arbitrary code, escalate privileges, or cause denial of service by crashing the runtime. This is particularly critical in environments where Wasmtime is embedded in cloud services, edge computing platforms, or serverless architectures, which are increasingly adopted across Europe. Given the growing adoption of WebAssembly for secure, portable code execution in web applications, IoT devices, and cloud-native environments, the vulnerability could affect a wide range of sectors including finance, telecommunications, manufacturing, and government services. The ability to exploit this flaw depends on specific configuration settings, which may limit exposure but also means that organizations unaware of these settings might be vulnerable. Furthermore, the vulnerability's impact on confidentiality and integrity is notable because use-after-free bugs can be leveraged to bypass memory safety guarantees, potentially exposing sensitive data or allowing unauthorized code execution. Availability could also be affected if exploitation leads to crashes or resource exhaustion. Although no active exploits are known, the potential for targeted attacks exists, especially against high-value targets using Wasmtime in critical infrastructure or sensitive data processing.

1. Immediate Upgrade: Organizations using Wasmtime should upgrade to patched versions 0.34.2 or 0.35.2 as soon as possible to eliminate the vulnerability. 2. Configuration Hardening: If upgrading is not immediately possible, disable epoch interruption (config.epoch_interruption(false)) or disable the Wasm reference types proposal (config.wasm_reference_types(false)) to mitigate the vulnerability. 3. Audit Usage: Conduct an audit of all Wasmtime deployments to identify configurations enabling epoch interruption and externrefs, as these are prerequisites for exploitation. 4. Monitoring and Detection: Implement runtime monitoring to detect abnormal Wasmtime crashes or memory corruption symptoms that could indicate exploitation attempts. 5. Supply Chain Controls: Verify the integrity of Wasmtime binaries and dependencies to prevent introduction of maliciously modified versions. 6. Developer Awareness: Educate developers and DevOps teams about the risks associated with enabling epoch interruption and externrefs, encouraging secure configuration practices. 7. Incident Response Preparedness: Prepare incident response plans specifically addressing potential exploitation of memory corruption vulnerabilities in WebAssembly runtimes. 8. Limit Exposure: Where possible, isolate Wasmtime workloads in sandboxed or containerized environments with strict access controls to limit the impact of any successful exploitation.