HIGH 8.8

RUSTSEC-2021-0067

Memory access due to code generation flaw in Cranelift module

Details

There is a bug in 0.73.0 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a WebAssembly module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1 or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0 should update to 0.73.1 or 0.74 if they were not using the old default backend.

More details can be found in the GitHub Security Advisory at:

<https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5>

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / cranelift-codegen

Introduced in: 0.0.0-0 Fixed in: 0.73.1

Upgrade cranelift-codegen to 0.73.1 or newer (ecosystem crates.io).

References

https://crates.io/crates/cranelift-codegen [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2021-0067.html [ADVISORY]
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5 [ADVISORY]