CVE-2021-43790

Name of the Vulnerable Software and Affected Versions: Lucet versions prior to the main branch

Description: There is a bug in the lucet-runtime that allows a use-after-free in an Instance object, potentially resulting in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. The bug is related to the InstanceHandle type and the pool allocator used for new WebAssembly instances. When an Instance is dropped, the fields of the Instance are destructed top-to-bottom, but the memory backing the Instance is released back to the pool before the destructors of the remaining fields are run, potentially leading to a race condition and use-after-free errors.

Recommendations: Upgrade to the main branch of the Lucet repository, as there is no way to remediate this vulnerability without upgrading.