Access of Memory Location After End of Buffer in Wasmtime and cranelift-codegen - CVE-2021-32629
Published: May 21, 2021 / Updated: April 23, 2026
Vulnerability identifier: #VU127034
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-32629
CWE-ID: CWE-788
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Wasmtime
cranelift-codegen
Wasmtime
cranelift-codegen
Software vendor:
Bytecode Alliance
Bytecode Alliance
Description
The vulnerability allows a remote attacker to access memory outside the intended WebAssembly sandbox.
The vulnerability exists due to improper code generation in the Cranelift x64 backend when reloading spilled integer values narrower than 64 bits during WebAssembly heap address computation. A remote attacker can execute a specially crafted WebAssembly module to access memory outside the intended WebAssembly sandbox.
The issue occurs when a spilled i32 value is sign-extended instead of zero-extended under specific register-allocation and instruction-selection conditions, and can allow access to memory up to 2 GiB before the start of the module heap.
Remediation
Install security update from vendor's website.