CVE-2023-52284: 
Fluent Bit vulnerability analysis and mitigation

Bytecode Alliance wasm-micro-runtime (WAMR) before version 1.3.0 contains a vulnerability identified as CVE-2023-52284. The vulnerability was disclosed on December 31, 2023, and affects the WebAssembly Micro Runtime's handling of push_pop_frame_ref_offset, which can result in a "double free or corruption" error when processing valid WebAssembly modules (NVD).

The vulnerability stems from a mishandling of push_pop_frame_ref_offset in the runtime's loader component. Specifically, wasm_loader_push_pop_frame_offset may pop n operands using loader_ctx->stack_cell_num to check operand availability. However, since loader_ctx->stack_cell_num is updated later in wasm_loader_push_pop_frame_ref, the check can fail if the stack is in a polymorphic state, leading to ctx->frame_offset underflow (GitHub PR). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause the runtime to crash due to memory corruption through a double free error. This occurs when processing otherwise valid WebAssembly modules, affecting the stability and availability of applications using the runtime (GitHub Issue).

The vulnerability has been patched in version 1.3.0 of the WebAssembly Micro Runtime. Users are advised to upgrade to this version or later to address the issue (NVD).