cbcvebase.
CVE-2021-32629
published 2021-05-24

CVE-2021-32629: Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable…

PriorityP343high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EPSS
0.46%
36.2th percentile
Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug could allow access to memory addresses upto 2GiB before the start of the Wasm program heap. If the heap bound is larger than 2GiB, then it would be possible to read memory from a computable range dependent on the size of the heaps bound. The impact of this bug is highly dependent on heap implementation, specifically: * if the heap has bounds checks, and * does not rely exclusively on guard pages, and * the heap bound is 2GiB or smaller * then this bug cannot be used to reach memory from another Wasm program heap. The impact of the vulnerability is mitigated if there is no memory mapped in the range accessible using this bug, for example, if there is a 2 GiB guard region before the Wasm program heap. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, when the register allocator reloads a spilled integer value narrower than 64 bits. This interacts poorly with another optimization: the instruction selector elides a 32-to-64-bit zero-extend operator when we know that an instruction producing a 32-bit value actually zeros the upper 32 bits of its destination register. Hence, we rely on these zeroed bits, but the type of the value is st

Affected

6 ranges
VendorProductVersion rangeFixed in
bytecodealliancecranelift-codegen< 0.73.10.73.1
bytecodealliancecranelift-codegen>= 0 < 0.73.10.73.1
bytecodealliancecranelift-codegen>= 0.0.0-0 < 0.73.10.73.1
bytecodealliancewasmtime<= 0.73.0
bytecodealliancewasmtime>= 0 < 0.27.00.27.0
bytecodealliancewasmtime>= 0 < 95559c01aaa7c061088a433040f31e8291fb09d095559c01aaa7c061088a433040f31e8291fb09d0

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.