GHSA-7qmx-3fpx-r45m · Severity: low · Ecosystem: rust — Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.
Conclusion & alert: CVE-2024-47813 is rated Low Risk (13.3/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.15%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.04% | 0.15% | +0.11% |
| 2 | 2024-10-10 | — | 0.04% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.9 | 3.1 | LOW |
|
0.3 | 2.5 | [email protected] |
GHSA-7qmx-3fpx-r45m · Severity: low · Ecosystem: rust — Wasmtime race condition could lead to WebAssembly control-flow integrity and type safety violations
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-47813 not yet assigned priority: Debian including 1 source packages (rust-wasmtime), 3 status rows across 3 suites (forky, sid, trixie): resolved 3. | https://security-tracker.debian.org/tracker/CVE-2024-47813 |
ubuntu
|
low | CVE-2024-47813 low priority: Ubuntu including 1 source packages (rust-wasmtime), 7 status rows across 7 suites (focal, jammy, noble, oracular, plucky, questing, upstream): needs-triage 3, DNE 2, ignored 2. | https://ubuntu.com/security/CVE-2024-47813 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| bytecodealliance | wasmtime | 19.0.0 | cpe:2.3:a:bytecodealliance:wasmtime:19.0.0:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 19.0.1 | cpe:2.3:a:bytecodealliance:wasmtime:19.0.1:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 19.0.2 | cpe:2.3:a:bytecodealliance:wasmtime:19.0.2:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 20.0.0 | cpe:2.3:a:bytecodealliance:wasmtime:20.0.0:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 20.0.1 | cpe:2.3:a:bytecodealliance:wasmtime:20.0.1:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 20.0.2 | cpe:2.3:a:bytecodealliance:wasmtime:20.0.2:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 21.0.0 | cpe:2.3:a:bytecodealliance:wasmtime:21.0.0:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 21.0.1 | cpe:2.3:a:bytecodealliance:wasmtime:21.0.1:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 22.0.0 | cpe:2.3:a:bytecodealliance:wasmtime:22.0.0:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 23.0.0 | cpe:2.3:a:bytecodealliance:wasmtime:23.0.0:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 23.0.1 | cpe:2.3:a:bytecodealliance:wasmtime:23.0.1:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 23.0.2 | cpe:2.3:a:bytecodealliance:wasmtime:23.0.2:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 24.0.0 | cpe:2.3:a:bytecodealliance:wasmtime:24.0.0:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 25.0.0 | cpe:2.3:a:bytecodealliance:wasmtime:25.0.0:*:*:*:*:rust:*:* |
| bytecodealliance | wasmtime | 25.0.1 | cpe:2.3:a:bytecodealliance:wasmtime:25.0.1:*:*:*:*:rust:*:* |
| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasmtime/pull/7969 | Product |
| https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m | Third Party Advisory |