CVE-2021-39218

Name of the Vulnerable Software and Affected Versions Wasmtime versions 0.19.0 through 0.29.0 Wasmtime versions 0.26.0 through 0.29.0

Description There is a memory unsoundness vulnerability in Wasmtime, which can be triggered when running Wasm that uses externrefs. This can result in an invalid free and out-of-bounds read and write bug. The vulnerability can be exploited when the host creates non-null externrefs, Wasmtime performs a garbage collection, and there is a Wasm frame on the stack that is at a GC safepoint with no live references. Additionally, there is a type confusion vulnerability when using the Linker API with multiple Engine values, which can result in calling a function with the wrong type. The estimated impact of these bugs is relatively small due to the rare usage of externrefs.

Recommendations For Wasmtime versions 0.19.0 through 0.29.0, upgrade to Wasmtime version 0.30.0. For Wasmtime versions 0.26.0 through 0.29.0, as a temporary workaround, consider disabling the reference types proposal by passing false to wasmtime::Config::wasm reference types until a patch is available. If using multiple Engines is required, audit the code to ensure that Linker is only used with one Engine.