Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the "References" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see "References" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.
This vulnerability carries a LOW severity rating with a CVSS v3.1 score of 2.9, requiring local system access to exploit but requires specific conditions to be met though user interaction is required . The vulnerability impacts limited integrity, and limited availability for affected systems. Impacting 1 product from bytecodealliance organizations running these solutions should prioritize assessment and patching.
Reported in 2024, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.
2024-10-09T18:15:09.120
2025-09-29T13:11:34.543
Analyzed
CVSSv3.1: 2.9 (LOW)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | bytecodealliance | wasmtime | 19.0.0 | Yes |
| Application | bytecodealliance | wasmtime | 19.0.1 | Yes |
| Application | bytecodealliance | wasmtime | 19.0.2 | Yes |
| Application | bytecodealliance | wasmtime | 20.0.0 | Yes |
| Application | bytecodealliance | wasmtime | 20.0.1 | Yes |
| Application | bytecodealliance | wasmtime | 20.0.2 | Yes |
| Application | bytecodealliance | wasmtime | 21.0.0 | Yes |
| Application | bytecodealliance | wasmtime | 21.0.1 | Yes |
| Application | bytecodealliance | wasmtime | 22.0.0 | Yes |
| Application | bytecodealliance | wasmtime | 23.0.0 | Yes |
| Application | bytecodealliance | wasmtime | 23.0.1 | Yes |
| Application | bytecodealliance | wasmtime | 23.0.2 | Yes |
| Application | bytecodealliance | wasmtime | 24.0.0 | Yes |
| Application | bytecodealliance | wasmtime | 25.0.0 | Yes |
| Application | bytecodealliance | wasmtime | 25.0.1 | Yes |
SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For bytecodealliance's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.