// For flags

CVE-2021-39219

Wrong type for `Linker`-define functions when used across two `Engine`s

Severity Score

6.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use `unsafe` then it should not be possible to have memory unsafety issues in their embeddings of Wasmtime. An issue was discovered in the safe API of `Linker::func_*` APIs. These APIs were previously not sound when one `Engine` was used to create the `Linker` and then a different `Engine` was used to create a `Store` and then the `Linker` was used to instantiate a module into that `Store`. Cross-`Engine` usage of functions is not supported in Wasmtime and this can result in type confusion of function pointers, resulting in being able to safely call a function with the wrong type. Triggering this bug requires using at least two `Engine` values in an embedding and then additionally using two different values with a `Linker` (one at the creation time of the `Linker` and another when instantiating a module with the `Linker`). It's expected that usage of more-than-one `Engine` in an embedding is relatively rare since an `Engine` is intended to be a globally shared resource, so the expectation is that the impact of this issue is relatively small. The fix implemented is to change this behavior to `panic!()` in Rust instead of silently allowing it. Using different `Engine` instances with a `Linker` is a programmer bug that `wasmtime` catches at runtime. This bug has been patched and users should upgrade to Wasmtime version 0.30.0. If you cannot upgrade Wasmtime and are using more than one `Engine` in your embedding it's recommended to instead use only one `Engine` for the entire program if possible. An `Engine` is designed to be a globally shared resource that is suitable to have only one for the lifetime of an entire process. If using multiple `Engine`s is required then code should be audited to ensure that `Linker` is only used with one `Engine`.

Wasmtime es un tiempo de ejecución de código abierto para WebAssembly y WASI. Wasmtime versiones anteriores a 0.30.0, está afectado por una vulnerabilidad de confusión de tipo. Como librería de Rust, la caja "wasmtime" marca claramente qué funciones son seguras y cuáles son "unsafe", garantizando que si los consumidores nunca usan "unsafe" no debería ser posible tener problemas de inseguridad de memoria en sus inserciones de Wasmtime. Se ha detectado un problema en la API segura de las APIs "Linker::func_*". Estas APIs no eran seguras cuando un "Engine" era usado para crear el "Linker" y luego otro "Engine" era usado para crear un "Store" y luego el "Linker" era usado para instanciar un módulo en ese "Store". Un uso cruzado de funciones de "Engine" no está soportado en Wasmtime y esto puede resultar en una confusión de tipo de los punteros de las funciones, resultando en poder llamar de forma segura a una función con el tipo equivocado. Desencadenar este bug requiere el uso de al menos dos valores de "Engine" en una inserción y, además, el uso de dos valores diferentes con un "Linker" (uno en el momento de la creación del "Linker" y otro cuando se instancie un módulo con el "Linker"). Se espera que el uso de más de un "Engine" en una inserción sea relativamente raro ya que un "Engine" está destinado a ser un recurso compartido globalmente, por lo que se espera que el impacto de este problema sea relativamente pequeño. La corrección implementada es cambiar este comportamiento a "panic!()" en Rust en lugar de permitirlo silenciosamente. El uso de diferentes instancias de "Engine" con un "Linker" es un error de programación que "wasmtime" detecta en tiempo de ejecución. Este bug ha sido parcheado y los usuarios deberían actualizar a la versión 0.30.0 de Wasmtime. Si no puedes actualizar Wasmtime y estás usando más de un "Engine" en tu inserción, se recomienda usar sólo un "Engine" para todo el programa si es posible. Un "Engine" está diseñado para ser un recurso globalmente compartido que es adecuado para tener sólo uno durante el tiempo de vida de un proceso entero. Si se requiere el uso de múltiples "Engines" entonces el código debe ser auditado para asegurar que el "Linker" sólo se usa con un "Engine"

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-16 CVE Reserved
  • 2021-09-17 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Bytecodealliance
Search vendor "Bytecodealliance"
Wasmtime
Search vendor "Bytecodealliance" for product "Wasmtime"
< 0.30.0
Search vendor "Bytecodealliance" for product "Wasmtime" and version " < 0.30.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected