Wasmi WebAssembly Interpreter Use-After-Free Vulnerability in Linear Memory Implementation

A use-after-free vulnerability has been identified in the Wasmi WebAssembly interpreter, specifically in versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2, and 1.0.0. The vulnerability arises in the linear memory implementation, triggered by a WebAssembly module under certain memory growth conditions. This issue could lead to memory corruption, unauthorized information disclosure, or arbitrary code execution.

Impact

Exploitation of this vulnerability could result in memory corruption, allowing for arbitrary writes, and potentially leading to unauthorized code execution. Additionally, it could enable an attacker to read memory contents under their control, causing information disclosure. The vulnerability may also cause crashes in the Wasmi interpreter, disrupting availability.

Remediation

Users are advised to upgrade to Wasmi versions 0.41.2, 0.47.1, 0.51.3, or 1.0.1 and later. Additionally, consider limiting maximum linear memory sizes where feasible.