CVE-2024-30266 - Vulnerability Details - OpenCVE

wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Key SSVC decision points have not yet been added.

Vendors	Products
Bytecodealliance	Wasmtime

Configuration 1 [-]

cpe:2.3:a:bytecodealliance:wasmtime:19.0.0:*:*:*:*:rust:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Bytecodealliance	Wasmtime

References

Link	Providers
https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664
https://github.com/bytecodealliance/wasmtime/issues/8281
https://github.com/bytecodealliance/wasmtime/pull/8018
https://github.com/bytecodealliance/wasmtime/pull/8283
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5

History

Tue, 02 Sep 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:bytecodealliance:wasmtime:19.0.0:::::rust::

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-04T15:42:00.200Z

Updated: 2024-08-02T01:32:07.072Z

Reserved: 2024-03-26T12:52:00.935Z

Link: CVE-2024-30266

Vulnrichment

Updated: 2024-08-02T01:32:07.072Z

NVD

Status : Analyzed

Published: 2024-04-04T16:15:09.107

Modified: 2025-09-02T14:46:00.480

Link: CVE-2024-30266

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-13T11:32:03Z

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-30266", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-26T12:52:00.935Z", "datePublished": "2024-04-04T15:42:00.200Z", "dateUpdated": "2024-08-02T01:32:07.072Z"}, "containers": {"cna": {"title": "Wasmtime vulnerable to panic when using a dropped extenref-typed element segment", "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "lang": "en", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5"}, {"name": "https://github.com/bytecodealliance/wasmtime/issues/8281", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/issues/8281"}, {"name": "https://github.com/bytecodealliance/wasmtime/pull/8018", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8018"}, {"name": "https://github.com/bytecodealliance/wasmtime/pull/8283", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8283"}, {"name": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": "= 19.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:42:00.200Z"}, "descriptions": [{"lang": "en", "value": "wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1."}], "source": {"advisory": "GHSA-75hq-h6g9-h4q5", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-30266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-04T19:54:05.029928Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:38:20.190Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:32:07.072Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5"}, {"name": "https://github.com/bytecodealliance/wasmtime/issues/8281", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bytecodealliance/wasmtime/issues/8281"}, {"name": "https://github.com/bytecodealliance/wasmtime/pull/8018", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8018"}, {"name": "https://github.com/bytecodealliance/wasmtime/pull/8283", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8283"}, {"name": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5", "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/bytecodealliance/wasmtime/issues/8281", "name": "https://github.com/bytecodealliance/wasmtime/issues/8281", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/bytecodealliance/wasmtime/pull/8018", "name": "https://github.com/bytecodealliance/wasmtime/pull/8018", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/bytecodealliance/wasmtime/pull/8283", "name": "https://github.com/bytecodealliance/wasmtime/pull/8283", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664", "name": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:32:07.072Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-30266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-04T19:54:05.029928Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:22.147Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Wasmtime vulnerable to panic when using a dropped extenref-typed element segment", "source": {"advisory": "GHSA-75hq-h6g9-h4q5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"status": "affected", "version": "= 19.0.0"}]}], "references": [{"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5", "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bytecodealliance/wasmtime/issues/8281", "name": "https://github.com/bytecodealliance/wasmtime/issues/8281", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bytecodealliance/wasmtime/pull/8018", "name": "https://github.com/bytecodealliance/wasmtime/pull/8018", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bytecodealliance/wasmtime/pull/8283", "name": "https://github.com/bytecodealliance/wasmtime/pull/8283", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664", "name": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:42:00.200Z"}}}, "cveMetadata": {"cveId": "CVE-2024-30266", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:32:07.072Z", "dateReserved": "2024-03-26T12:52:00.935Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-04T15:42:00.200Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:19.0.0:*:*:*:*:rust:*:*", "matchCriteriaId": "9C2CCC83-D074-46EA-9164-0B7C1B12FDCA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. This vulnerability has been patched in version 19.0.1."}, {"lang": "es", "value": "wasmtime es un tiempo de ejecuci\u00f3n para WebAssembly. La versi\u00f3n 19.0.0 de Wasmtime contiene una regresi\u00f3n introducida durante su desarrollo que puede provocar que un m\u00f3dulo WebAssembly invitado cause p\u00e1nico en el tiempo de ejecuci\u00f3n del host. Un m\u00f3dulo WebAssembly v\u00e1lido, cuando se ejecuta en tiempo de ejecuci\u00f3n, puede provocar este p\u00e1nico. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 19.0.1."}], "id": "CVE-2024-30266", "lastModified": "2025-09-02T14:46:00.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-04T16:15:09.107", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/bytecodealliance/wasmtime/issues/8281"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8018"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8283"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory", "Mitigation"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/bytecodealliance/wasmtime/issues/8281"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8018"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/pull/8283"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "Mitigation"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "security-advisories@github.com", "type": "Secondary"}]}