Vulnerability-Lookup

CVE-2021-39216 (GCVE-0-2021-39216)

Vulnerability from cvelistv5 – Published: 2021-09-17 20:05 – Updated: 2024-08-04 01:58

Title

Use after free passing `externref`s to Wasm in Wasmtime

Summary

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	bytecodealliance	wasmtime	Affected: >=0.19.0, <=0.29.0

PYSEC-2021-320

Vulnerability from pysec - Published: 2021-09-17 20:15 - Updated: 2021-09-17 22:30

Details

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing externrefs from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple externrefs from the host to a Wasm instance at the same time, either by passing multiple externrefs as arguments from host code to a Wasm function, or returning multiple externrefs to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's VMExternRefActivationsTable became filled to capacity after passing the first externref in, then passing in the second externref could trigger a garbage collection. However the first externref is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first externref, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of externref is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing false to wasmtime::Config::wasm_reference_types.

Impacted products

Name	purl
wasmtime	pkg:pypi/wasmtime

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wasmtime",
        "purl": "pkg:pypi/wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "101998733b74624cbd348a2366d05760b40181f3"
            }
          ],
          "repo": "https://github.com/bytecodealliance/wasmtime",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.0.2",
        "0.11.0",
        "0.12.0",
        "0.15.0",
        "0.15.1",
        "0.16.0",
        "0.16.1",
        "0.17.0",
        "0.18.0",
        "0.18.1",
        "0.18.2",
        "0.19.0",
        "0.20.0",
        "0.21.0",
        "0.22.0",
        "0.23.0",
        "0.24.0",
        "0.25.0",
        "0.26.0",
        "0.27.0",
        "0.28.0",
        "0.28.1",
        "0.29.0",
        "0.9.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39216",
    "GHSA-v4cp-h94r-m7xf"
  ],
  "details": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.",
  "id": "PYSEC-2021-320",
  "modified": "2021-09-17T22:30:49.852358Z",
  "published": "2021-09-17T20:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "type": "FIX",
      "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"
    }
  ]
}

CVE-2021-39216

Vulnerability from osv_rustsec

Published

2021-09-17 12:00

Modified

2023-06-13 13:10

Summary

Multiple Vulnerabilities in Wasmtime

Details

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption",
          "memory-exposure"
        ],
        "cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "wasmtime::Linker::func_new",
            "wasmtime::Linker::func_wrap",
            "wasmtime::Store::gc"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime",
        "purl": "pkg:cargo/wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2021-39216",
    "CVE-2021-39218",
    "CVE-2021-39219",
    "GHSA-4873-36h9-wv49",
    "GHSA-q879-9g95-56mx",
    "GHSA-v4cp-h94r-m7xf"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "* [Use after free passing `externref`s to Wasm in\n  Wasmtime](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf)\n\n* [Out-of-bounds read/write and invalid free with `externref`s and GC safepoints\n  in\n  Wasmtime](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49)\n\n* [Wrong type for `Linker`-define functions when used across two\n  `Engine`s](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q879-9g95-56mx)",
  "id": "RUSTSEC-2021-0110",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2021-09-17T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0110.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q879-9g95-56mx"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Multiple Vulnerabilities in Wasmtime"
}

FKIE_CVE-2021-39216

Vulnerability from fkie_nvd - Published: 2021-09-17 20:15 - Updated: 2024-11-21 06:18

Severity ?

6.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://crates.io/crates/wasmtime	Product
security-advisories@github.com	https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3	Third Party Advisory
security-advisories@github.com	https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf	Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/
af854a3a-2127-422b-91ae-364da2661108	https://crates.io/crates/wasmtime	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/

Impacted products

Vendor	Product	Version
bytecodealliance	wasmtime	*
fedoraproject	fedora	34
fedoraproject	fedora	35

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "610E88E6-811D-4E4A-936B-FAD8CC96B4D6",
              "versionEndExcluding": "0.30.0",
              "versionStartIncluding": "0.19.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
              "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`."
    },
    {
      "lang": "es",
      "value": "Wasmtime es un tiempo de ejecuci\u00f3n de c\u00f3digo abierto para WebAssembly y WASI. En Wasmtime desde la versi\u00f3n 0.19.0 y versiones anteriores a 0.30.0, se presentaba un error de uso de memoria previamente liberada cuando se pasaban \"externref\"s desde el host al contenido del Wasm invitado. Para desencadenar el bug, debes pasar expl\u00edcitamente m\u00faltiples \"externref\"s desde el host a una instancia de Wasm al mismo tiempo, ya sea pasando m\u00faltiples \"externref\"s como argumentos desde el c\u00f3digo del host a una funci\u00f3n de Wasm, o devolviendo m\u00faltiples \"externref\"s a Wasm desde una funci\u00f3n de retorno multivalente definida en el host. Si no tienes c\u00f3digo de host que coincida con una de estas formas, entonces no te afecta. Si la \"VMExternRefActivationsTable\" de Wasmtime se llen\u00f3 de capacidad despu\u00e9s de pasar la primera \"externref\", entonces pasar la segunda \"externref\" podr\u00eda desencadenar una recolecci\u00f3n de basura. Sin embargo, la primera \"externref\" no est\u00e1 arraigada hasta que pasamos el control a Wasm, y por lo tanto podr\u00eda ser recuperada por el recolector si nada m\u00e1s estuviera manteniendo una referencia a ella o la mantuviera viva. Entonces, cuando se pasara el control a Wasm despu\u00e9s de la recolecci\u00f3n de basura, Wasm podr\u00eda usar la primera \"externref\", que en este punto ya ha sido liberada. Tenemos razones para creer que el impacto efectivo de este error es relativamente peque\u00f1o porque el uso de \"externref\" es actualmente bastante raro. El bug ha sido corregido, y los usuarios deber\u00edan actualizar a Wasmtime versi\u00f3n 0.30.0. Si no puedes actualizar Wasmtime todav\u00eda, puedes evitar el bug deshabilitando el soporte de tipos de referencia en Wasmtime pasando \"false\" a \"wasmtime::Config::wasm_reference_types\""
    }
  ],
  "id": "CVE-2021-39216",
  "lastModified": "2024-11-21T06:18:55.553",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 3.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2021-09-17T20:15:07.703",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-V4CP-H94R-M7XF

Vulnerability from github – Published: 2021-09-20 19:54 – Updated: 2024-11-19 18:00

Summary

Use after free passing `externref`s to Wasm in Wasmtime

Details

Impact

There was a use-after-free bug when passing externrefs from the host to guest Wasm content.

To trigger the bug, you have to explicitly pass multiple externrefs from the host to a Wasm instance at the same time, either by

passing multiple externrefs as arguments from host code to a Wasm function,
or returning multiple externrefs to Wasm from a multi-value return function defined in the host.

If you do not have host code that matches one of these shapes, then you are not impacted.

If Wasmtime's VMExternRefActivationsTable became filled to capacity after passing the first externref in, then passing in the second externref could trigger a garbage collection. However the first externref is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first externref, which at this point has already been freed.

We have reason to believe that the effective impact of this bug is relatively small because usage of externref is currently quite rare.

Patches

The bug has been fixed, and users should upgrade to Wasmtime 0.30.0.

Additionally, we have updated our primary externref fuzz target such that it better exercises these code paths and we can have greater confidence in their correctness going forward.

Workarounds

If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing false to wasmtime::Config::wasm_reference_types.

References

The reference types Wasm proposal, which introduces externref

For more information

If you have any questions or comments about this advisory:

Reach out to us on the Bytecode Alliance Zulip chat
Open an issue in the bytecodealliance/wasmtime repository

Severity ?

6.3 (Medium)


                  
                    CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

6.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-17T20:05:21Z",
    "nvd_published_at": "2021-09-17T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThere was a use-after-free bug when passing `externref`s from the host to guest Wasm content.\n\nTo trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by\n\n* passing multiple `externref`s as arguments from host code to a Wasm function,\n* or returning multiple `externref`s to Wasm from a multi-value return function defined in the host.\n \nIf you do not have host code that matches one of these shapes, then you are not impacted.\n\nIf Wasmtime\u0027s [`VMExternRefActivationsTable`](https://github.com/bytecodealliance/wasmtime/blob/37c094faf53f1b356aab3c79d451395e4f7edb34/crates/runtime/src/externref.rs#L493) became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed.\n\nWe have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare.\n\n### Patches\n\nThe bug has been fixed, and users should upgrade to Wasmtime 0.30.0.\n\nAdditionally, we have updated [our primary `externref` fuzz target](https://github.com/bytecodealliance/wasmtime/blob/37c094faf53f1b356aab3c79d451395e4f7edb34/fuzz/fuzz_targets/table_ops.rs) such that it better exercises these code paths and we can have greater confidence in their correctness going forward.\n\n### Workarounds\n\nIf you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to [`wasmtime::Config::wasm_reference_types`](https://docs.rs/wasmtime/0.29.0/wasmtime/struct.Config.html#method.wasm_reference_types).\n\n### References\n\n* [The reference types Wasm proposal, which introduces `externref`](https://github.com/WebAssembly/reference-types/)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime)\n* Open an issue in [the `bytecodealliance/wasmtime` repository](https://github.com/bytecodealliance/wasmtime/)",
  "id": "GHSA-v4cp-h94r-m7xf",
  "modified": "2024-11-19T18:00:37Z",
  "published": "2021-09-20T19:54:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"
    },
    {
      "type": "WEB",
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime-py/compare/0.29.0...0.30.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wasmtime/PYSEC-2021-320.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0110.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Use after free passing `externref`s to Wasm in Wasmtime"
}

GSD-2021-39216

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-39216

Aliases

CVE-2021-39216

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-39216",
    "description": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.",
    "id": "GSD-2021-39216"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-39216"
      ],
      "details": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.",
      "id": "GSD-2021-39216",
      "modified": "2023-12-13T01:23:15.204742Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-39216",
        "STATE": "PUBLIC",
        "TITLE": "Use after free passing `externref`s to Wasm in Wasmtime"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "wasmtime",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e=0.19.0, \u003c=0.29.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "bytecodealliance"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-416: Use After Free"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf",
            "refsource": "CONFIRM",
            "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"
          },
          {
            "name": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3",
            "refsource": "MISC",
            "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"
          },
          {
            "name": "https://crates.io/crates/wasmtime",
            "refsource": "MISC",
            "url": "https://crates.io/crates/wasmtime"
          },
          {
            "name": "FEDORA-2021-68713440cb",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"
          },
          {
            "name": "FEDORA-2021-1805eacb48",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-v4cp-h94r-m7xf",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.19.0 \u003c0.30.0",
          "affected_versions": "All versions starting from 0.19.0 before 0.30.0",
          "cvss_v2": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-416",
            "CWE-937"
          ],
          "date": "2021-12-21",
          "description": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.",
          "fixed_versions": [
            "0.30.0"
          ],
          "identifier": "CVE-2021-39216",
          "identifiers": [
            "CVE-2021-39216",
            "GHSA-v4cp-h94r-m7xf"
          ],
          "not_impacted": "All versions before 0.19.0, all versions starting from 0.30.0",
          "package_slug": "conan/wasmtime",
          "pubdate": "2021-09-17",
          "solution": "Upgrade to version 0.30.0 or above.",
          "title": "Use After Free",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-39216",
            "https://crates.io/crates/wasmtime",
            "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3",
            "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"
          ],
          "uuid": "2b5f8e4d-c083-40c9-b9fa-1d865c2a9dd5"
        },
        {
          "affected_range": "\u003e=v0.19.0 \u003cv0.30.0",
          "affected_versions": "All versions starting from 0.19.0 before 0.30.0",
          "cvss_v2": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-416",
            "CWE-937"
          ],
          "date": "2021-12-21",
          "description": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.",
          "fixed_versions": [
            "v0.30.0"
          ],
          "identifier": "CVE-2021-39216",
          "identifiers": [
            "CVE-2021-39216",
            "GHSA-v4cp-h94r-m7xf"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/bytecodealliance/wasmtime-go",
          "pubdate": "2021-09-17",
          "solution": "Upgrade to version 0.30.0 or above.",
          "title": "Use After Free",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-39216",
            "https://crates.io/crates/wasmtime",
            "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3",
            "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"
          ],
          "uuid": "7dab65e0-6819-4d59-98d0-516217da755c",
          "versions": [
            {
              "commit": {
                "sha": "b1b054c8d98ce2b121c695902b2a51144d3eae68",
                "tags": [
                  "v0.19.0"
                ],
                "timestamp": "20200717211020"
              },
              "number": "v0.19.0"
            },
            {
              "commit": {
                "sha": "e5704ca48f2ac43faaebaa4055c9f4cd01bac8c0",
                "tags": [
                  "v0.30.0"
                ],
                "timestamp": "20210917191246"
              },
              "number": "v0.30.0"
            }
          ]
        },
        {
          "affected_range": "[0.19.0,0.30.0)",
          "affected_versions": "All versions starting from 0.19.0 before 0.30.0",
          "cvss_v2": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-416",
            "CWE-937"
          ],
          "date": "2021-12-21",
          "description": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`.",
          "fixed_versions": [
            "0.30.0"
          ],
          "identifier": "CVE-2021-39216",
          "identifiers": [
            "CVE-2021-39216",
            "GHSA-v4cp-h94r-m7xf"
          ],
          "not_impacted": "",
          "package_slug": "nuget/Wasmtime",
          "pubdate": "2021-09-17",
          "solution": "Upgrade to version 0.30.0 or above.",
          "title": "Use After Free",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-39216",
            "https://crates.io/crates/wasmtime",
            "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3",
            "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"
          ],
          "uuid": "e9c9832b-1659-40a1-92fd-7f8fc6e86bfe"
        },
        {
          "affected_range": "\u003e=0.19.0,\u003c0.30.0",
          "affected_versions": "All versions starting from 0.19.0 before 0.30.0",
          "cvss_v2": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-416",
            "CWE-937"
          ],
          "date": "2021-12-21",
          "description": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from and there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host.",
          "fixed_versions": [
            "0.30.0"
          ],
          "identifier": "CVE-2021-39216",
          "identifiers": [
            "CVE-2021-39216",
            "GHSA-v4cp-h94r-m7xf"
          ],
          "not_impacted": "All versions before 0.19.0, all versions starting from 0.30.0",
          "package_slug": "pypi/wasmtime",
          "pubdate": "2021-09-17",
          "solution": "Upgrade to version 0.30.0 or above.",
          "title": "Use After Free",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-39216"
          ],
          "uuid": "2e7d5a4d-2504-409e-8abd-83725ee0b17a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.30.0",
                "versionStartIncluding": "0.19.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-39216"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Wasmtime is an open source runtime for WebAssembly \u0026 WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime\u0027s `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-416"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://crates.io/crates/wasmtime",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://crates.io/crates/wasmtime"
            },
            {
              "name": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"
            },
            {
              "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"
            },
            {
              "name": "FEDORA-2021-68713440cb",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"
            },
            {
              "name": "FEDORA-2021-1805eacb48",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 3.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.0,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2021-12-21T14:18Z",
      "publishedDate": "2021-09-17T20:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-39216 (GCVE-0-2021-39216)

PYSEC-2021-320

CVE-2021-39216

Vulnerability from osv_rustsec

FKIE_CVE-2021-39216

GHSA-V4CP-H94R-M7XF

Impact

Patches

Workarounds

References

For more information

GSD-2021-39216

Tags

Sightings

Nomenclature