CVE-2021-32629

Description

There is a bug in 0.73.0 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a WebAssembly module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend. More details can be found in the GitHub Security Advisory at: <https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5>

How to fix CVE-2021-32629

To remediate CVE-2021-32629, upgrade the affected package to a fixed version below.

• —upgrade to 0.73.1 or later
• —upgrade to 0.73.1 or later
• —upgrade to 0.27.0 or later
• —upgrade to 95559c01aaa7c061088a433040f31e8291fb09d0 or later

Is CVE-2021-32629 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 0.73.1
• >= 0.0.0-0, < 0.73.1
• from 0, < 0.27.0
• from 0, < 95559c01aaa7c061088a433040f31e8291fb09d0 | from 0, < 0.27.0

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32629
• PATCHgithub.com/bytecodealliance/wasmtime/tree/main/cranelift
• WEBcrates.io/crates/cranelift-codegen
• WEBgithub.com/bytecodealliance/wasmtime/commit/95559c01aaa7c061088a433040f31e8291fb09d0