1. Home
  2. CVE Database
  3. CVE-2021-43790
HIGH · 8.5

CVE-2021-43790

Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance objec...

Vulnerability Description

Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this bug, and dependent on the memory backing for the Instance objects, it is possible to trigger a use-after-free when the Instance is dropped. Users should upgrade to the main branch of the Lucet repository. Lucet no longer provides versioned releases on crates.io. There is no way to remediate this vulnerability without upgrading.

CVSS Score

8.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
BytecodeallianceLucet<= 0.6.1

Related Weaknesses (CWE)

CWE-416

References

FAQ

What is CVE-2021-43790?

CVE-2021-43790 is a vulnerability with a CVSS score of 8.5 (HIGH). Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance objec...

How severe is CVE-2021-43790?

CVE-2021-43790 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-43790?

Check the references section above for vendor advisories and patch information. Affected products include: Bytecodealliance Lucet.