Summary
Workarounds
If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.
References
The following APIs create or drop types, and therefore are affected by this race condition if performed on multiple threads concurrently and are all associated with the same wasmtime::Engine:
wasmtime::FuncType::new- Also reachable from creation of
wasmtime::Func - Also reachable from
wasmtime::Linker::func_*
- Also reachable from creation of
wasmtime::ArrayType::newwasmtime::StructType::newwasmtime::Func::tywasmtime::Global::tywasmtime::Table::tywasmtime::Extern::tywasmtime::Export::tywasmtime::UnknownImportError::tywasmtime::ImportType::tywasmtime::ExportType::tywasmtime::Val::tywasmtime::Ref::tywasmtime::AnyRef::tywasmtime::EqRef::tywasmtime::ArrayRef::tywasmtime::StructRef::ty- Dropping a
wasmtime::FuncType - Dropping a
wasmtime::ArrayType - Dropping a
wasmtime::StructType - Dropping a
wasmtime::ExternType - Dropping a
wasmtime::GlobalType - Dropping a
wasmtime::TableType - Dropping a
wasmtime::ValType - Dropping a
wasmtime::RefType - Dropping a
wasmtime::HeapType - Dropping a
wasmtime::UnknownImportError - Dropping a
wasmtime::Linker
The change which introduced this bug was #7969
Impact
Under certain concurrent event orderings, a wasmtime::Engine's internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use wasmtime::Engine across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected.
Reproducing this bug requires creating and dropping multiple type instances (such as wasmtime::FuncType or wasmtime::ArrayType) concurrently on multiple threads, where all types are associated with the same wasmtime::Engine. Wasm guests cannot trigger this bug. See the "References" section below for a list of Wasmtime types-related APIs that are affected.
Wasmtime maintains an internal registry of types within a wasmtime::Engine and an engine is shareable across threads. Types can be created and referenced through creation of a wasmtime::Module, creation of wasmtime::FuncType, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's call_indirect function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state.
Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered.
| Thread A | Thread B |
|---|---|
acquire(type registry lock) |
|
decref(E) --> 0 |
|
block_on(type registry lock) |
|
register(E') == incref(E) --> 1 |
|
release(type registry lock) |
|
decref(E) --> 0 |
|
acquire(type registry lock) |
|
unregister(E) |
|
release(type registry lock) |
|
acquire(type registry lock) |
|
unregister(E) |
This double-unregistration could then lead to a WebAssembly CFI violation under the following conditions: a new WebAssembly module X was loaded into the engine before the second, buggy unregistration occurs; X defined a function type F that was allocated in the same type registry slot where the original entry was allocated; the second, buggy unregistration incorrectly unregistered F; another new WebAssembly module Y was loaded into the engine; Y defined a function type G, different from F, but which is also allocated in the same type registry slot; a funcref of type G is created, either by the host or by Wasm; that funcref is passed to a WebAssembly instance of module X; that instance performs a call_indirect to that funcref; the call_indirect's dynamic type check, which preserves CFI, could incorrectly pass in this case, because F and G were assigned the same type registry slot. This would, ultimately, allow calling a function with too many, too few, or wrongly-typed arguments, violating CFI and type safety.
We were not able to reproduce this CFI violation in a vanilla Wasmtime build, although it remains theoretically possible. However, by modifying Wasmtime's source code to make losing the races described above more likely (by disabling certain assertions, inserting panic catches, and adding retry loops in a few places if we did not lose the race) we were able to incorrectly get a funcref to pass a type check that it should have failed, which would allow the CFI violation.
CVE-2024-47813 has a CVSS score of 2.9 (Low). The vector is requires local access, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (21.0.2, 22.0.1, 23.0.3, 24.0.1, 25.0.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug:
- 21.0.2
- 22.0.1
- 23.0.3
- 24.0.1
- 25.0.2
Frequently Asked Questions
- What is CVE-2024-47813? CVE-2024-47813 is a low-severity security vulnerability in wasmtime (rust), affecting versions >= 19.0.0, < 21.0.2. It is fixed in 21.0.2, 22.0.1, 23.0.3, 24.0.1, 25.0.2.
- How severe is CVE-2024-47813? CVE-2024-47813 has a CVSS score of 2.9 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of wasmtime are affected by CVE-2024-47813? wasmtime (rust) versions >= 19.0.0, < 21.0.2 is affected.
- Is there a fix for CVE-2024-47813? Yes. CVE-2024-47813 is fixed in 21.0.2, 22.0.1, 23.0.3, 24.0.1, 25.0.2. Upgrade to this version or later.
- Is CVE-2024-47813 exploitable, and should I be worried? Whether CVE-2024-47813 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-47813 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-47813?
- Upgrade
wasmtimeto 21.0.2 or later - Upgrade
wasmtimeto 22.0.1 or later - Upgrade
wasmtimeto 23.0.3 or later - Upgrade
wasmtimeto 24.0.1 or later - Upgrade
wasmtimeto 25.0.2 or later
- Upgrade