CVE-2024-35420 – CVE-2024-35420 is a heap overflow vulnerability... (How to Fix)

Q: What is the severity of CVE-2024-35420?

CVE-2024-35420 has a CVSS score of 6.2 (MEDIUM). CVE-2024-35420 is a heap overflow vulnerability in wac (WebAssembly Compiler) that allows attackers to write beyond allocated memory boundaries. This could lead to arbitrary code execution or denial of service. Anyone using vulnerable versions of wac is affected.

📋 TL;DR

CVE-2024-35420 is a heap overflow vulnerability in wac (WebAssembly Compiler) that allows attackers to write beyond allocated memory boundaries. This could lead to arbitrary code execution or denial of service. Anyone using vulnerable versions of wac is affected.

💻 Affected Systems

Products:

wac (WebAssembly Compiler)

Versions: Versions up to commit 385e1

Operating Systems: All platforms running wac

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using wac to compile WebAssembly code is potentially vulnerable.

📦 What is this software?

Wac by Kanaka

View all CVEs affecting Wac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially with memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

Controlled crash with minimal impact if proper memory protections and exploit mitigations are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof of concept available in GitHub references; heap overflow vulnerabilities are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 385e1

Vendor Advisory: https://github.com/kanaka/wac/issues/20

Restart Required: No

Instructions:

1. Update wac to latest version from GitHub repository. 2. Recompile any affected WebAssembly code with patched version.

🔧 Temporary Workarounds

Disable wac usage

all

Temporarily stop using wac for WebAssembly compilation until patched.

🧯 If You Can't Patch

Implement strict input validation and sanitization for WebAssembly code processed by wac.
Deploy memory protection mechanisms like ASLR and DEP to reduce exploit success.

🔍 How to Verify

Check if Vulnerable:

Check wac version or commit hash; if using commit 385e1 or earlier, it's vulnerable.

Check Version:

wac --version or check git commit hash in repository.

Verify Fix Applied:

Verify wac version is updated beyond commit 385e1 and test with known malicious inputs.

📡 Detection & Monitoring

Log Indicators:

Unexpected wac process crashes
Memory access violation errors in system logs

Network Indicators:

Unusual network traffic to/from wac processes

SIEM Query:

Process: wac AND (EventID: 1000 OR EventID: 1001) OR Memory: AccessViolation

📊 Metadata

CVE ID: CVE-2024-35420

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: November 8, 2024

Last Updated: June 17, 2025

🔗 References

https://gist.github.com/haruki3hhh/ebabc705fb04aff38c600f2b63601aae Third Party Advisory
https://github.com/kanaka/wac/issues/20 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35420, you might also want to check these: