Cyber Resilience

CVE-2022-39393

High

Published: 10 November 2022

Published
10 November 2022
Modified
02 May 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0059 69.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39393 is a high-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Bytecodealliance Wasmtime. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of…

more

the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2 and 1.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bytecodealliance
wasmtime
≤ 1.0.2 · 2.0.0 — 2.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-212 CWE-226

Eradication of spilled information from contaminated systems mitigates the effects of improper removal of sensitive data before storage or transfer.

addresses: CWE-212 CWE-226

The control requires verified removal of sensitive data before media is made available at a reduced classification level, directly addressing improper removal prior to storage or transfer.

addresses: CWE-212 CWE-226

Retention policies enforce removal or sanitization of sensitive data before storage or transfer per regulatory requirements.

addresses: CWE-212 CWE-226

The explicit requirement to delete inaccurate/outdated PII implements proper removal of sensitive information before further storage or transfer.

addresses: CWE-212 CWE-226

The generate-on-demand-and-delete requirement enforces removal of sensitive information before storage or transfer, preventing improper retention.

addresses: CWE-212 CWE-226

Requires explicit removal of sensitive information prior to component transfer or disposal, reducing exposure from retained data.

addresses: CWE-226

Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally.

addresses: CWE-226

Procedures include sanitization, overwriting, and disposal requirements to remove sensitive data before media reuse or release.

References