CVE-2021-39216 - OpenCVE

Vendors	Products
Bytecodealliance	Wasmtime
Fedoraproject	Fedora

Link	Providers
https://crates.io/crates/wasmtime
https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/

{"containers": {"cna": {"affected": [{"product": "wasmtime", "vendor": "bytecodealliance", "versions": [{"status": "affected", "version": ">=0.19.0, <=0.29.0"}]}], "descriptions": [{"lang": "en", "value": "Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416: Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-04T02:06:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"}, {"tags": ["x_refsource_MISC"], "url": "https://crates.io/crates/wasmtime"}, {"name": "FEDORA-2021-68713440cb", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"}, {"name": "FEDORA-2021-1805eacb48", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"}], "source": {"advisory": "GHSA-v4cp-h94r-m7xf", "discovery": "UNKNOWN"}, "title": "Use after free passing `externref`s to Wasm in Wasmtime", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39216", "STATE": "PUBLIC", "TITLE": "Use after free passing `externref`s to Wasm in Wasmtime"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "wasmtime", "version": {"version_data": [{"version_value": ">=0.19.0, <=0.29.0"}]}}]}, "vendor_name": "bytecodealliance"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-416: Use After Free"}]}]}, "references": {"reference_data": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf", "refsource": "CONFIRM", "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"}, {"name": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3", "refsource": "MISC", "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"}, {"name": "https://crates.io/crates/wasmtime", "refsource": "MISC", "url": "https://crates.io/crates/wasmtime"}, {"name": "FEDORA-2021-68713440cb", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"}, {"name": "FEDORA-2021-1805eacb48", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"}]}, "source": {"advisory": "GHSA-v4cp-h94r-m7xf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.335Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crates.io/crates/wasmtime"}, {"name": "FEDORA-2021-68713440cb", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"}, {"name": "FEDORA-2021-1805eacb48", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39216", "datePublished": "2021-09-17T20:05:11", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.335Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "610E88E6-811D-4E4A-936B-FAD8CC96B4D6", "versionEndExcluding": "0.30.0", "versionStartIncluding": "0.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the host. If you do not have host code that matches one of these shapes, then you are not impacted. If Wasmtime's `VMExternRefActivationsTable` became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed. We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare. The bug has been fixed, and users should upgrade to Wasmtime 0.30.0. If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to `wasmtime::Config::wasm_reference_types`."}, {"lang": "es", "value": "Wasmtime es un tiempo de ejecuci\u00f3n de c\u00f3digo abierto para WebAssembly y WASI. En Wasmtime desde la versi\u00f3n 0.19.0 y versiones anteriores a 0.30.0, se presentaba un error de uso de memoria previamente liberada cuando se pasaban \"externref\"s desde el host al contenido del Wasm invitado. Para desencadenar el bug, debes pasar expl\u00edcitamente m\u00faltiples \"externref\"s desde el host a una instancia de Wasm al mismo tiempo, ya sea pasando m\u00faltiples \"externref\"s como argumentos desde el c\u00f3digo del host a una funci\u00f3n de Wasm, o devolviendo m\u00faltiples \"externref\"s a Wasm desde una funci\u00f3n de retorno multivalente definida en el host. Si no tienes c\u00f3digo de host que coincida con una de estas formas, entonces no te afecta. Si la \"VMExternRefActivationsTable\" de Wasmtime se llen\u00f3 de capacidad despu\u00e9s de pasar la primera \"externref\", entonces pasar la segunda \"externref\" podr\u00eda desencadenar una recolecci\u00f3n de basura. Sin embargo, la primera \"externref\" no est\u00e1 arraigada hasta que pasamos el control a Wasm, y por lo tanto podr\u00eda ser recuperada por el recolector si nada m\u00e1s estuviera manteniendo una referencia a ella o la mantuviera viva. Entonces, cuando se pasara el control a Wasm despu\u00e9s de la recolecci\u00f3n de basura, Wasm podr\u00eda usar la primera \"externref\", que en este punto ya ha sido liberada. Tenemos razones para creer que el impacto efectivo de este error es relativamente peque\u00f1o porque el uso de \"externref\" es actualmente bastante raro. El bug ha sido corregido, y los usuarios deber\u00edan actualizar a Wasmtime versi\u00f3n 0.30.0. Si no puedes actualizar Wasmtime todav\u00eda, puedes evitar el bug deshabilitando el soporte de tipos de referencia en Wasmtime pasando \"false\" a \"wasmtime::Config::wasm_reference_types\""}], "id": "CVE-2021-39216", "lastModified": "2023-11-07T03:37:36.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-09-17T20:15:07.703", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://crates.io/crates/wasmtime"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/bytecodealliance/wasmtime/commit/101998733b74624cbd348a2366d05760b40181f3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAVBRYDDUIY2ZR3K3FO4BVYJKIMJ5TP7/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2Z33FTXFQ6EOINVEQIP4DFBG53G5XIY/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object