CVE-2024-34251 – An out-of-bounds memory read vulnerability in B... (How to Fix)

Q: What is the severity of CVE-2024-34251?

CVE-2024-34251 has a CVSS score of 7.5 (HIGH). An out-of-bounds memory read vulnerability in Bytecode Alliance wasm-micro-runtime v2.0.0 allows remote attackers to cause denial of service by exploiting the block_type_get_arity function. This affects systems running WebAssembly modules through the vulnerable runtime. The vulnerability can be triggered remotely without authentication.

📋 TL;DR

An out-of-bounds memory read vulnerability in Bytecode Alliance wasm-micro-runtime v2.0.0 allows remote attackers to cause denial of service by exploiting the block_type_get_arity function. This affects systems running WebAssembly modules through the vulnerable runtime. The vulnerability can be triggered remotely without authentication.

💻 Affected Systems

Products:

Bytecode Alliance wasm-micro-runtime

Versions: Version 2.0.0

Operating Systems: All platforms running wasm-micro-runtime

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using wasm-micro-runtime v2.0.0 to execute WebAssembly modules is vulnerable.

📦 What is this software?

Webassembly Micro Runtime by Bytecodealliance

View all CVEs affecting Webassembly Micro Runtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through denial of service, potentially leading to application crashes and unavailability.

🟠

Likely Case

Service instability and intermittent crashes affecting WebAssembly module execution.

🟢

If Mitigated

Minimal impact with proper input validation and runtime isolation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious WebAssembly modules to trigger the out-of-bounds read.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after v2.0.0

Vendor Advisory: https://github.com/bytecodealliance/wasm-micro-runtime/issues/3347

Restart Required: Yes

Instructions:

1. Check current wasm-micro-runtime version. 2. Update to latest version from official repository. 3. Recompile any applications using the runtime. 4. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of WebAssembly modules before execution

Runtime Isolation

all

Run wasm-micro-runtime in isolated containers or sandboxes

🧯 If You Can't Patch

Implement network segmentation to limit access to vulnerable systems
Deploy Web Application Firewall (WAF) rules to detect malicious WebAssembly payloads

🔍 How to Verify

Check if Vulnerable:

Check if wasm-micro-runtime version is exactly 2.0.0

Check Version:

Check build configuration or runtime version output

Verify Fix Applied:

Verify version is updated to later than 2.0.0

📡 Detection & Monitoring

Log Indicators:

Unexpected runtime crashes
Memory access violation errors
WebAssembly module execution failures

Network Indicators:

Unusual WebAssembly module uploads
Repeated connection attempts to WebAssembly endpoints

SIEM Query:

source="wasm-runtime" AND (event="crash" OR event="memory_violation")

📊 Metadata

CVE ID: CVE-2024-34251

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: May 6, 2024

Last Updated: June 13, 2025

🔗 References

https://github.com/bytecodealliance/wasm-micro-runtime/issues/3347 Exploit,Issue Tracking
https://github.com/bytecodealliance/wasm-micro-runtime/issues/3347 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34251, you might also want to check these: