Use After Free in lucet
CVE-2021-43790

8.5HIGH

Key Information:

Vendor

Bytecodealliance

Status
Lucet
Vendor
CVE Published:
30 November 2021

What is CVE-2021-43790?

Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of lucet-runtime affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this bug, and dependent on the memory backing for the Instance objects, it is possible to trigger a use-after-free when the Instance is dropped. Users should upgrade to the main branch of the Lucet repository. Lucet no longer provides versioned releases on crates.io. There is no way to remediate this vulnerability without upgrading.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

lucet <= 0.6.1

References

https://github.com/bytecodealliance/lucet/security/adviso...
x_refsource_CONFIRM
https://github.com/bytecodealliance/lucet/commit/7c7757c7...
x_refsource_MISC
https://crates.io/crates/lucet-runtime
x_refsource_MISC

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.