CVE-2024-35418 – CVE-2024-35418 is a heap overflow vulnerability... (How to Fix)

Q: What is the severity of CVE-2024-35418?

CVE-2024-35418 has a CVSS score of 6.2 (MEDIUM). CVE-2024-35418 is a heap overflow vulnerability in wac's setup_call function that allows attackers to cause Denial of Service (DoS) by providing a malicious WebAssembly (wasm) file. This affects systems running vulnerable versions of wac that process untrusted wasm files. The vulnerability requires an attacker to supply a crafted wasm file to the application.

📋 TL;DR

CVE-2024-35418 is a heap overflow vulnerability in wac's setup_call function that allows attackers to cause Denial of Service (DoS) by providing a malicious WebAssembly (wasm) file. This affects systems running vulnerable versions of wac that process untrusted wasm files. The vulnerability requires an attacker to supply a crafted wasm file to the application.

💻 Affected Systems

Products:

wac (WebAssembly C interpreter)

Versions: Versions up to commit 385e1 (specifically vulnerable in wac-asan build)

Operating Systems: All platforms running wac

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the wac-asan build variant; standard builds may also be affected but specific testing needed.

📦 What is this software?

Wac by Kanaka

View all CVEs affecting Wac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through DoS, potentially leading to remote code execution if heap corruption can be controlled precisely.

🟠

Likely Case

Service crashes and DoS from malformed wasm file processing.

🟢

If Mitigated

Limited impact if wasm files are from trusted sources only.

🌐 Internet-Facing: MEDIUM - Requires ability to upload or provide wasm files to the service.

🏢 Internal Only: LOW - Typically requires local access or internal compromise to exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub issue; exploitation requires providing crafted wasm file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 385e1 (check GitHub for latest)

Vendor Advisory: https://github.com/kanaka/wac/issues/19

Restart Required: Yes

Instructions:

1. Update wac to latest version from GitHub repository. 2. Recompile if using source. 3. Restart any services using wac.

🔧 Temporary Workarounds

Restrict wasm file sources

all

Only allow wasm files from trusted, verified sources.

Input validation

all

Implement strict validation of wasm files before processing.

🧯 If You Can't Patch

Isolate wac instances in restricted network segments
Implement application-level firewalls to filter wasm file uploads

🔍 How to Verify

Check if Vulnerable:

Check wac version/commit hash; if at or before 385e1, likely vulnerable.

Check Version:

wac --version or check git commit hash if built from source

Verify Fix Applied:

Verify wac version is after commit 385e1 and test with known malicious wasm file.

📡 Detection & Monitoring

Log Indicators:

Application crashes, segmentation faults, abnormal termination of wac processes

Network Indicators:

Unexpected wasm file uploads to services using wac

SIEM Query:

Process:name='wac' AND EventID=1000 (Application Crash)

📊 Metadata

CVE ID: CVE-2024-35418

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: November 8, 2024

Last Updated: June 17, 2025

🔗 References

https://gist.github.com/haruki3hhh/29237c52bd0cc30e3cc906f0af221b09 Third Party Advisory
https://github.com/kanaka/wac/issues/19 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35418, you might also want to check these: