CVE-2021-39218
Wasmtime Externref Memory Unsouness Vulnerability
Description
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger this bug, Wasmtime needs to be running Wasm that uses `externref`s, the host creates non-null `externrefs`, Wasmtime performs a garbage collection (GC), and there has to be a Wasm frame on the stack that is at a GC safepoint where there are no live references at this safepoint, and there is a safepoint with live references earlier in this frame's function. Under this scenario, Wasmtime would incorrectly use the GC stack map for the safepoint from earlier in the function instead of the empty safepoint. This would result in Wasmtime treating arbitrary stack slots as `externref`s that needed to be rooted for GC. At the *next* GC, it would be determined that nothing was referencing these bogus `externref`s (because nothing could ever reference them, because they are not really `externref`s) and then Wasmtime would deallocate them and run `<ExternRef as Drop>::drop` on them. This results in a free of memory that is not necessarily on the heap (and shouldn't be freed at this moment even if it was), as well as potential out-of-bounds reads and writes. Even though support for `externref`s (via the reference types proposal) is enabled by default, unless you are creating non-null `externref`s in your host code or explicitly triggering GCs, you cannot be affected by this bug. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. This bug has been patched and users should upgrade to Wasmtime version 0.30.0. If you cannot upgrade Wasmtime at this time, you can avoid this bug by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types`.
INFO
Published Date :
Sept. 17, 2021, 9:15 p.m.
Last Modified :
Nov. 7, 2023, 3:37 a.m.
Source :
[email protected]
Remotely Exploitable :
No
Impact Score :
5.2
Exploitability Score :
1.0
Affected Products
The following products are affected by CVE-2021-39218
vulnerability.
Even if cvefeed.io
is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2021-39218
.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2021-39218
vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2021-39218
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Nov. 07, 2023
Action Type Old Value New Value Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/ [No types assigned] Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/ [No types assigned] Removed Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/ Removed Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/ -
Modified Analysis by [email protected]
Dec. 10, 2021
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H Changed Reference Type https://crates.io/crates/wasmtime Product https://crates.io/crates/wasmtime Product, Third Party Advisory Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/ Mailing List, Third Party Advisory Changed CPE Configuration OR *cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:* versions from (including) 0.26.0 up to (excluding) 0.30.0 OR *cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:* versions from (including) 0.26.0 up to (excluding) 0.30.0 Changed CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* OR *cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Oct. 04, 2021
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/ [No Types Assigned] -
Initial Analysis by [email protected]
Oct. 01, 2021
Action Type Old Value New Value Added CVSS V2 NIST (AV:L/AC:M/Au:N/C:N/I:P/A:P) Changed Reference Type https://crates.io/crates/wasmtime No Types Assigned https://crates.io/crates/wasmtime Product Changed Reference Type https://github.com/bytecodealliance/wasmtime/commit/398a73f0dd862dbe703212ebae8e34036a18c11c No Types Assigned https://github.com/bytecodealliance/wasmtime/commit/398a73f0dd862dbe703212ebae8e34036a18c11c Patch, Third Party Advisory Changed Reference Type https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49 No Types Assigned https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49 Third Party Advisory Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/ Mailing List, Third Party Advisory Added CPE Configuration OR *cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:* versions from (including) 0.26.0 up to (excluding) 0.30.0 Added CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Sep. 30, 2021
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/ [No Types Assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2021-39218
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2021-39218
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.04 }} 0.00%
score
0.12065
percentile