CVE-2024-47813 | Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations

Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.

Published: 2024-10-09 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2024-47813 is rated Low Risk (13.3/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.15%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-47813

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.04% 0.15% +0.11%
2 2024-10-10 0.04%

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-47813

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
2.9 3.1 LOW
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
0.3 2.5 [email protected]

Weakness enumeration for CVE-2024-47813

GitHub Security Advisory for CVE-2024-47813

GHSA-7qmx-3fpx-r45m · Severity: low · Ecosystem: rust — Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations

OS Trackers for CVE-2024-47813

vendor priority summary link
debian not yet assigned CVE-2024-47813 not yet assigned priority: Debian including 1 source packages (rust-wasmtime), 3 status rows across 3 suites (forky, sid, trixie): resolved 3. https://security-tracker.debian.org/tracker/CVE-2024-47813
ubuntu low CVE-2024-47813 low priority: Ubuntu including 1 source packages (rust-wasmtime), 7 status rows across 7 suites (focal, jammy, noble, oracular, plucky, questing, upstream): needs-triage 3, DNE 2, ignored 2. https://ubuntu.com/security/CVE-2024-47813

Affected software / configurations for CVE-2024-47813

Vendor Product Version Raw CPE
bytecodealliance wasmtime 19.0.0 cpe:2.3:a:bytecodealliance:wasmtime:19.0.0:*:*:*:*:rust:*:*
bytecodealliance wasmtime 19.0.1 cpe:2.3:a:bytecodealliance:wasmtime:19.0.1:*:*:*:*:rust:*:*
bytecodealliance wasmtime 19.0.2 cpe:2.3:a:bytecodealliance:wasmtime:19.0.2:*:*:*:*:rust:*:*
bytecodealliance wasmtime 20.0.0 cpe:2.3:a:bytecodealliance:wasmtime:20.0.0:*:*:*:*:rust:*:*
bytecodealliance wasmtime 20.0.1 cpe:2.3:a:bytecodealliance:wasmtime:20.0.1:*:*:*:*:rust:*:*
bytecodealliance wasmtime 20.0.2 cpe:2.3:a:bytecodealliance:wasmtime:20.0.2:*:*:*:*:rust:*:*
bytecodealliance wasmtime 21.0.0 cpe:2.3:a:bytecodealliance:wasmtime:21.0.0:*:*:*:*:rust:*:*
bytecodealliance wasmtime 21.0.1 cpe:2.3:a:bytecodealliance:wasmtime:21.0.1:*:*:*:*:rust:*:*
bytecodealliance wasmtime 22.0.0 cpe:2.3:a:bytecodealliance:wasmtime:22.0.0:*:*:*:*:rust:*:*
bytecodealliance wasmtime 23.0.0 cpe:2.3:a:bytecodealliance:wasmtime:23.0.0:*:*:*:*:rust:*:*
bytecodealliance wasmtime 23.0.1 cpe:2.3:a:bytecodealliance:wasmtime:23.0.1:*:*:*:*:rust:*:*
bytecodealliance wasmtime 23.0.2 cpe:2.3:a:bytecodealliance:wasmtime:23.0.2:*:*:*:*:rust:*:*
bytecodealliance wasmtime 24.0.0 cpe:2.3:a:bytecodealliance:wasmtime:24.0.0:*:*:*:*:rust:*:*
bytecodealliance wasmtime 25.0.0 cpe:2.3:a:bytecodealliance:wasmtime:25.0.0:*:*:*:*:rust:*:*
bytecodealliance wasmtime 25.0.1 cpe:2.3:a:bytecodealliance:wasmtime:25.0.1:*:*:*:*:rust:*:*

References for CVE-2024-47813

cvelogic Threat Intelligence