CVE-2021-39218 : Security Advisory and Response
Learn about CVE-2021-39218 affecting Wasmtime versions 0.26.0 to 0.29.0. Discover the impact, technical details, and mitigation steps for this critical vulnerability.
Wasmtime, an open-source WebAssembly & WASI runtime, from version 0.26.0 to 0.29.0, is vulnerable to memory unsoundness.
Understanding CVE-2021-39218
This CVE details a critical vulnerability affecting Wasmtime versions 0.26.0 to 0.29.0.
What is CVE-2021-39218?
The vulnerability involves an invalid free and out-of-bounds read/write bug occurring when running Wasm utilizing
externrefThe Impact of CVE-2021-39218
The vulnerability carries a CVSS base score of 6.3, with high severity in integrity and availability but none in confidentiality. It requires low privileges and local access to exploit.
Technical Details of CVE-2021-39218
The technical aspects of the vulnerability are as follows:
Vulnerability Description
- The bug involves improper handling of
externrefAffected Systems and Versions
- Affected Product: Wasmtime
- Vendor: Bytecode Alliance
- Vulnerable Versions: >= 0.26.0, <= 0.29.0
Exploitation Mechanism
- Exploitation requires Wasm running
externrefexternrefsMitigation and Prevention
Steps to address and prevent the vulnerability:
Immediate Steps to Take
- Upgrade to Wasmtime version 0.30.0, which includes a patch for the issue.
Long-Term Security Practices
- If unable to update, disable the reference types proposal by passing
falsewasmtime::Config::wasm_reference_typesPatching and Updates
- Regularly check for security updates and apply patches promptly to mitigate future vulnerabilities.