CVE-2020-35859: Out of bounds access in lucet-runtime-internals

August 25, 2021 (updated June 13, 2023)

An embedding using affected versions of lucet-runtime configured to use non-default Wasm globals sizes of more than 4KiB, or compiled in debug mode without optimizations, could leak data from the signal handler stack to guest programs. This can potentially cause data from the embedding host to leak to guest programs or cause corruption of guest program memory. This flaw was resolved by correcting the sigstack allocation logic.

References

github.com/advisories/GHSA-3933-wvjf-pcvc
github.com/bytecodealliance/lucet/pull/401
github.com/fastly/lucet
nvd.nist.gov/vuln/detail/CVE-2020-35859
rustsec.org/advisories/RUSTSEC-2020-0004.html

Detect and mitigate CVE-2020-35859 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →