{"id":"RUSTSEC-2024-0442","summary":"Dump Undefined Memory by `JitDumpFile`","details":"The unsound function `dump_code_load_record` uses `from_raw_parts` to directly convert \nthe pointer `addr` and `len` into a slice without any validation and that memory block \nwould be dumped.\n\nThus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires \nthe caller to guarantee that the addr is valid and len must not overflow.\nOtherwise, the function could dump the memory into file illegally, causing memory leak.\n\n\u003e **Note**: this is an internal-only crate in the Wasmtime project not intended for\nexternal use and is more strongly signaled nowadays as of\n[bytecodealliance/wasmtime#10963](https://github.com/bytecodealliance/wasmtime/pull/10963).\nPlease open an issue in Wasmtime if you're using this crate directly.","aliases":["GHSA-9ghp-w2hm-vfpf"],"modified":"2025-10-28T06:29:24.080240Z","published":"2024-07-06T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/wasmtime-jit-debug"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0442.html"},{"type":"REPORT","url":"https://github.com/bytecodealliance/wasmtime/issues/8905"}],"affected":[{"package":{"name":"wasmtime-jit-debug","ecosystem":"crates.io","purl":"pkg:cargo/wasmtime-jit-debug"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"24.0.0"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":["wasmtime_jit_debug::perf_jitdump::JitDumpFile::dump_code_load_record"],"arch":[]},"affected_functions":null},"database_specific":{"informational":"unsound","categories":["memory-exposure"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0442.json","cvss":null}}],"schema_version":"1.7.3"}