CVE-2021-39216

Published on: 09/17/2021 12:00:00 AM UTC

Last Modified on: 12/21/2021 02:18:00 PM UTC

CVE-2021-39216 - advisory for GHSA-v4cp-h94r-m7xf

Source: Mitre Source: Nist Print: PDF PDF
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Certain versions of Wasmtime from Bytecodealliance contain the following vulnerability:

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.

  • CVE-2021-39216 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • Affected Vendor/Software: URL Logo bytecodealliance - wasmtime version >=0.19.0, <=0.29.0

CVSS3 Score: 6.3 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL HIGH LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE HIGH HIGH

CVSS2 Score: 3.3 - LOW

Access
Vector
Access
Complexity
Authentication
LOCAL MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL PARTIAL

CVE References

Description Tags Link
crates.io
application/json
Inactive LinkNot Archived
URL Logo MISC crates.io/crates/wasmtime
Use after free passing `externref`s to Wasm in Wasmtime · Advisory · bytecodealliance/wasmtime · GitHub github.com
text/html
URL Logo CONFIRM github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf
[SECURITY] Fedora 34 Update: rust-wasmtime-fiber-0.30.0-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2021-1805eacb48
[SECURITY] Fedora 35 Update: rust-cranelift-frontend-0.77.0-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2021-68713440cb
Merge pull request from GHSA-v4cp-h94r-m7xf · bytecodealliance/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3

Related QID Numbers

  • 281958 Fedora Security Update for rust (FEDORA-2021-1805eacb48)

Exploit/POC from Github

PoC for exploiting CVE-2021-39216 : Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from versi…

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationBytecodeallianceWasmtimeAllAllAllAll
Operating
System
FedoraprojectFedora34AllAllAll
Operating
System
FedoraprojectFedora35AllAllAll
  • cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-39216 : Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and bef… twitter.com/i/web/status/1… 2021-09-17 20:10:41
Twitter Icon @SecRiskRptSME RT: CVE-2021-39216 Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and… twitter.com/i/web/status/1… 2021-09-18 07:33:14
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report