CVE-2024-30266

Wasmtime vulnerable to panic when using a dropped extenref-typed element segment

Description

wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.

Category

3.3
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.02%
Affected: bytecodealliance wasmtime
Published at:
Updated at:

References

Link Tags
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5
https://github.com/bytecodealliance/wasmtime/issues/8281
https://github.com/bytecodealliance/wasmtime/pull/8018
https://github.com/bytecodealliance/wasmtime/pull/8283
https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664

Frequently Asked Questions

What is the severity of CVE-2024-30266?
CVE-2024-30266 has been scored as a low severity vulnerability.
How to fix CVE-2024-30266?
To fix CVE-2024-30266, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-30266 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-30266 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-30266?
CVE-2024-30266 affects bytecodealliance wasmtime.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.