CVE-2023-52284: Double Free

December 31, 2023 (updated January 8, 2024)

Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1.3.0 can have an “double free or corruption” error for a valid WebAssembly module because push_pop_frame_ref_offset is mishandled.

References

github.com/bytecodealliance/wasm-micro-runtime/compare/WAMR-1.2.3...WAMR-1.3.0
github.com/bytecodealliance/wasm-micro-runtime/issues/2586
github.com/bytecodealliance/wasm-micro-runtime/pull/2590
nvd.nist.gov/vuln/detail/CVE-2023-52284

Detect and mitigate CVE-2023-52284 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →