CVE-2021-39216: Use after free passing `externref`s to Wasm in Wasmtime
(updated )
There was a use-after-free bug when passing externref
s from the host to guest Wasm content.
To trigger the bug, you have to explicitly pass multiple externref
s from the host to a Wasm instance at the same time, either by
- passing multiple
externref
s as arguments from host code to a Wasm function, - or returning multiple
externref
s to Wasm from a multi-value return function defined in the host.
If you do not have host code that matches one of these shapes, then you are not impacted.
References
- crates.io/crates/wasmtime
- github.com/advisories/GHSA-v4cp-h94r-m7xf
- github.com/bytecodealliance/wasmtime
- github.com/bytecodealliance/wasmtime-py/compare/0.29.0...0.30.0
- github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf
- github.com/pypa/advisory-database/tree/main/vulns/wasmtime/PYSEC-2021-320.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY
- nvd.nist.gov/vuln/detail/CVE-2021-39216
- rustsec.org/advisories/RUSTSEC-2021-0110.html
Detect and mitigate CVE-2021-39216 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →