CVE-2021-32629: Memory access due to code generation flaw in Cranelift module
(updated )
There is a bug in 0.73.0 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a WebAssembly module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend.
References
- crates.io/crates/cranelift-codegen
- github.com/RustSec/advisory-db/blob/main/crates/cranelift-codegen/RUSTSEC-2021-0067.md
- github.com/advisories/GHSA-hpqh-2wqx-7qp5
- github.com/bytecodealliance/wasmtime/commit/95559c01aaa7c061088a433040f31e8291fb09d0
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5
- github.com/bytecodealliance/wasmtime/tree/main/cranelift
- github.com/pypa/advisory-database/tree/main/vulns/wasmtime/PYSEC-2021-87.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-32629
- rustsec.org/advisories/RUSTSEC-2021-0067.html
- www.fastly.com/security-advisories/memory-access-due-to-code-generation-flaw-in-cranelift-module
Detect and mitigate CVE-2021-32629 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →