SB2021091726 - Multiple vulnerabilities in Wasmtime
Published: September 17, 2021 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Free of Memory not on the Heap (CVE-ID: CVE-2021-39218)
CWE-ID: CWE-590 - Free of Memory not on the Heap
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause memory corruption.
The vulnerability exists due to incorrect GC stack map handling in Wasmtime externref and GC safepoint handling when running Wasm that uses externrefs during garbage collection. A remote attacker can execute crafted Wasm that uses externrefs to cause memory corruption.
Exploitation requires the host to create non-null externrefs and a garbage collection to occur while a Wasm frame is at a GC safepoint with no live references after an earlier safepoint in the same function had live references.
2) Type Confusion (CVE-ID: CVE-2021-39219)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory unsafety.
The vulnerability exists due to type confusion in Linker::func_* APIs when using a Linker created with one Engine to instantiate a module into a Store created with a different Engine. A local user can use mismatched Engine values across Linker and Store operations to cause memory unsafety.
Exploitation requires an embedding that uses at least two Engine instances and reuses a Linker across them.
3) Use-after-free (CVE-ID: CVE-2021-39216)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to use-after-free in externref handling when passing multiple externrefs from host code to guest Wasm content at the same time. A remote user can pass multiple externrefs as arguments or return multiple externrefs from a host-defined multi-value function to cause a denial of service or potentially execute arbitrary code.
The issue can be triggered if the VMExternRefActivationsTable becomes full after the first externref is passed, causing garbage collection before control is transferred to Wasm.
Remediation
Install update from vendor's website.
References
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49
- https://github.com/advisories/GHSA-4873-36h9-wv49
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q879-9g95-56mx
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf
- https://github.com/advisories/GHSA-v4cp-h94r-m7xf