Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-43790

HIGH
Published 2021-11-29T23:55:10
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-43790. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
8.5
/10
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.005
probability
of exploitation in the wild

There is a 0.5% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.650
Higher than 65.0% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Description

Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this bug, and dependent on the memory backing for the Instance objects, it is possible to trigger a use-after-free when the Instance is dropped. Users should upgrade to the main branch of the Lucet repository. Lucet no longer provides versioned releases on crates.io. There is no way to remediate this vulnerability without upgrading.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

bytecodealliance

lucet

Affected Versions:

<= 0.6.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Use After Free in lucet

GHSA-hf79-8hjp-rrvq

Advisory Details

### Impact There is a bug in the main branch of Lucet's `lucet-runtime` that allows a use-after-free in an `Instance` object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this bug, and dependent on the memory backing for the `Instance` objects, it is possible to trigger a use-after-free when the `Instance` is dropped. ### Patches Users should upgrade to the `main` branch of the Lucet repository. Lucet does not provide versioned releases on crates.io. ### Workarounds There is no way to remediate this vulnerability without upgrading. ### Description Lucet uses a "pool" allocator for new WebAssembly instances that are created. This pool allocator manages everything from the linear memory of the wasm instance, the runtime stack for async switching, as well as the memory behind the Instance itself. `Instances` are referred to via an `InstanceHandle` type which will, on drop, release the memory backing the Instance back to the pool. When an Instance is dropped, the fields of the `Instance` are destructed top-to-bottom, however when the `alloc: Alloc` field is destructed, the memory backing the `Instance` is released back to the pool before the destructors of the remaining fields are run. If another thread allocates the same memory from the pool while these destructors are still running, a race condition occurs that can lead to use-after-free errors. The bug was corrected by changing how the `InstanceHandle` destructor operates to ensure that the memory backing an Instance is only returned to the pool once the `Instance` has been completely destroyed. This security advisory has been assigned CVE-2021-43790. ### For more information If you have any questions or comments about this advisory: * Open an issue in [lucet repository](https://github.com/bytecodealliance/lucet) * Email [the lucet team](mailto:[email protected]) * See the [Bytecode Alliance security policy](https://bytecodealliance.org/security)

Affected Packages

crates.io lucet-runtime
ECOSYSTEM: ≥0 ≤0.6.1

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References

WEB https://github.com/bytecodealliance/lucet/security/advisories/GHSA-hf79-8hjp-rrvq
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-43790
WEB https://github.com/bytecodealliance/lucet/commit/7c7757c772fb709c61b1442bcc1e1fbee97bf4a8
WEB https://crates.io/crates/lucet-runtime
PACKAGE https://github.com/bytecodealliance/lucet

Advisory provided by GitHub Security Advisory Database. Published: November 30, 2021, Modified: November 30, 2021

References

https://github.com/bytecodealliance/lucet/security/advisories/GHSA-hf79-8hjp-rrvq
https://github.com/bytecodealliance/lucet/commit/7c7757c772fb709c61b1442bcc1e1fbee97bf4a8
https://crates.io/crates/lucet-runtime
Published: 2021-11-29T23:55:10
Last Modified: 2024-08-04T04:03:08.681Z
Copied to clipboard!