Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-v4cp-h94r-m7xf

GitHub Security Advisory

Use after free passing `externref`s to Wasm in Wasmtime

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

There was a use-after-free bug when passing `externref`s from the host to guest Wasm content.

To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by

* passing multiple `externref`s as arguments from host code to a Wasm function,
* or returning multiple `externref`s to Wasm from a multi-value return function defined in the host.

If you do not have host code that matches one of these shapes, then you are not impacted.

If Wasmtime's [`VMExternRefActivationsTable`](https://github.com/bytecodealliance/wasmtime/blob/37c094faf53f1b356aab3c79d451395e4f7edb34/crates/runtime/src/externref.rs#L493) became filled to capacity after passing the first `externref` in, then passing in the second `externref` could trigger a garbage collection. However the first `externref` is not rooted until we pass control to Wasm, and therefore could be reclaimed by the collector if nothing else was holding a reference to it or otherwise keeping it alive. Then, when control was passed to Wasm after the garbage collection, Wasm could use the first `externref`, which at this point has already been freed.

We have reason to believe that the effective impact of this bug is relatively small because usage of `externref` is currently quite rare.

### Patches

The bug has been fixed, and users should upgrade to Wasmtime 0.30.0.

Additionally, we have updated [our primary `externref` fuzz target](https://github.com/bytecodealliance/wasmtime/blob/37c094faf53f1b356aab3c79d451395e4f7edb34/fuzz/fuzz_targets/table_ops.rs) such that it better exercises these code paths and we can have greater confidence in their correctness going forward.

### Workarounds

If you cannot upgrade Wasmtime yet, you can avoid the bug by disabling reference types support in Wasmtime by passing `false` to [`wasmtime::Config::wasm_reference_types`](https://docs.rs/wasmtime/0.29.0/wasmtime/struct.Config.html#method.wasm_reference_types).

### References

* [The reference types Wasm proposal, which introduces `externref`](https://github.com/WebAssembly/reference-types/)

### For more information

If you have any questions or comments about this advisory:

* Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime)
* Open an issue in [the `bytecodealliance/wasmtime` repository](https://github.com/bytecodealliance/wasmtime/)

Affected Packages

crates.io wasmtime
Affected versions: 0 (fixed in 0.30.0)
PyPI wasmtime
Affected versions: 0 (fixed in 0.30.0)

Related CVEs

CVE-2021-39216

Key Information

GHSA ID
GHSA-v4cp-h94r-m7xf
Published
September 20, 2021 7:54 PM
Last Modified
November 19, 2024 6:00 PM
CVSS Score
5.0 /10
Primary Ecosystem
crates.io
Primary Package
wasmtime
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 9, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.