CVE-2022-39393: 
Rust vulnerability analysis and mitigation

Wasmtime, a standalone runtime for WebAssembly, was found to contain a vulnerability prior to version 2.0.2. The issue was discovered in Wasmtime's implementation of its pooling instance allocator, where when a linear memory is reused for another instance, the initial heap snapshot of the prior instance could be erroneously visible to the next instance. The vulnerability was assigned CVE-2022-39393 and was disclosed on November 10, 2022, with a CVSS v3.1 score of 8.6 (High) (GitHub Advisory).

The vulnerability occurs in the pooling instance allocator which preallocates virtual memory for a fixed number of instances. When a heap slot is deallocated, Wasmtime resets its contents but doesn't unmap the image, anticipating the next instance might be from the same module. The bug manifests when a slot previously used for a module with a heap image is reused by a module without a heap image - in this case, Wasmtime erroneously leaves the old heap image in place. This primarily affects hand-crafted .wat files or specially crafted source programs, as most modern toolchain-produced modules include heap images (GitHub Advisory).

The vulnerability can lead to data leakage between instances, where one instance can view the initial heap contents of a previous instance. Additionally, when the affected slot is reused again with a module that has an initialization image, it's likely to cause segmentation faults. This occurs because the state tracking system fails to account for the intermediate module, leading to incorrect assumptions about memory mapping (GitHub Advisory).

The vulnerability has been patched in Wasmtime version 2.0.2. Users are strongly advised to upgrade to this version or later. Alternative mitigations include disabling the pooling allocator (which is not enabled by default) or disabling the memory-init-cow feature. For those unable to upgrade immediately, these configuration changes can serve as temporary workarounds (GitHub Advisory).