Wiz
Vulnerability DatabaseCVE-2023-30624

CVE-2023-30624
Rust vulnerability analysis and mitigation

Overview

CVE-2023-30624 affects Wasmtime, a standalone runtime for WebAssembly, in versions prior to 6.0.2, 7.0.1, and 8.0.1. The vulnerability involves undefined behavior in Wasmtime's implementation of managing per-instance state, such as tables and memories. This issue was discovered and disclosed on April 27, 2023 (GitHub Advisory).

Technical details

The vulnerability stems from Wasmtime's runtime state implementation where an Instance structure contains a trailing VMContext structure with a runtime-defined layout unique per-module. The code uses unsafe Rust methods that take &self as an argument but modify data in the VMContext part of the allocation, leading to mutation of pointers derived from &self. When compiled to LLVM, these functions have noalias readonly parameters, making it undefined behavior to write through the pointers. This undefined behavior causes runtime-level issues particularly when compiled with LLVM 16, resulting in critical writes being optimized away (GitHub Advisory).

Impact

The vulnerability primarily affects versions of Wasmtime compiled with Rust 1.70 (beta) or later, where functions are known to be incorrectly compiled. While versions compiled with Rust 1.69 (stable) and prior are not known to have immediate issues, they theoretically could exhibit potential problems. The impact is particularly severe when compiled with LLVM 16, as it can result in critical memory writes being optimized away, potentially compromising the application's security and functionality (GitHub Advisory).

Mitigation and workarounds

The issue has been patched in Wasmtime versions 6.0.2, 7.0.1, and 8.0.1. These versions contain fixes to work correctly on LLVM 16 and have no known undefined behavior on LLVM 15 and earlier. For users running Wasmtime compiled with Rust 1.69 and prior (using LLVM 15), while there are no known immediate issues, upgrading to a patched version is recommended. Users of beta Rust (1.70) or nightly Rust (1.71) must update to a patched version to ensure correct functionality (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Rust vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22257HIGH8.8
  • RustRust
  • salvo
NoYesJan 08, 2026
CVE-2026-22698HIGH8.7
  • RustRust
  • sm2
NoNoJan 10, 2026
CVE-2026-22699HIGH7.5
  • RustRust
  • sm2
NoNoJan 10, 2026
GHSA-g59m-gf8j-gjf5LOW3.7
  • RustRust
  • aws-sdk-eventbridge
NoYesJan 08, 2026
GHSA-585q-cm62-757jLOW2
  • RustRust
  • mnl
NoNoJan 09, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo