CVE-2024-47813: 
Rust vulnerability analysis and mitigation

Wasmtime, an open source runtime for WebAssembly, contains a race condition vulnerability (CVE-2024-47813) in its internal type registry management. The vulnerability affects versions from 19.0.0 onwards and was discovered in the development of the WebAssembly GC proposal. Under specific concurrent event orderings, a wasmtime::Engine's internal type registry could experience double-unregistration bugs, potentially leading to panics and type registry corruption (GitHub Advisory).

The vulnerability stems from a race condition in the management of type registries where individual types maintain a registration count of usage. The issue occurs when one thread decrements a type entry's registration count to zero and attempts to acquire a lock for unregistration, while another thread performs a sequence of operations including re-registering, dropping, and unregistering the same type. This time-of-check versus time-of-use (TOCTOU) bug can result in a double-unregistration of the entry. The vulnerability has been assigned a CVSS v3.1 base score of 2.9 (LOW) with vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L (GitHub Advisory).

The vulnerability could lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. In specific scenarios, it could allow calling functions with incorrect arguments, potentially violating CFI and type safety. However, users who don't use wasmtime::Engine across multiple threads or only create new modules across threads over time are not affected. Importantly, WebAssembly guests cannot trigger this bug (GitHub Advisory).

The vulnerability has been patched in multiple Wasmtime versions: 21.0.2, 22.0.1, 23.0.3, 24.0.1, and 25.0.2. For applications that create and drop Wasmtime types on multiple threads concurrently, there are no known workarounds, and users are strongly encouraged to upgrade to a patched release (GitHub Advisory).