CVE-2021-38592 – CVE-2021-38592 is a heap-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2021-38592?

CVE-2021-38592 has a CVSS score of 7.5 (HIGH). CVE-2021-38592 is a heap-based buffer overflow vulnerability in Wasm3 0.5.0's op_Const64 function that can be triggered during WebAssembly module loading. This allows attackers to execute arbitrary code or cause denial of service by providing malicious WebAssembly modules. Anyone using Wasm3 0.5.0 to execute untrusted WebAssembly code is affected.

📋 TL;DR

CVE-2021-38592 is a heap-based buffer overflow vulnerability in Wasm3 0.5.0's op_Const64 function that can be triggered during WebAssembly module loading. This allows attackers to execute arbitrary code or cause denial of service by providing malicious WebAssembly modules. Anyone using Wasm3 0.5.0 to execute untrusted WebAssembly code is affected.

💻 Affected Systems

Products:

Wasm3

Versions: Version 0.5.0 specifically

Operating Systems: All platforms running Wasm3

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when loading WebAssembly modules that trigger the op_Const64 function.

📦 What is this software?

Wasm3 by Wasm3 Project

View all CVEs affecting Wasm3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerable process has sufficient privileges.

🟠

Likely Case

Denial of service through application crashes or memory corruption leading to instability.

🟢

If Mitigated

Limited impact if running with minimal privileges and proper sandboxing.

🌐 Internet-Facing: HIGH if processing untrusted WebAssembly modules from external sources.

🏢 Internal Only: MEDIUM if only processing trusted internal WebAssembly modules.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept available through OSS-Fuzz reports; exploitation requires providing malicious WebAssembly modules.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 0.5.0

Vendor Advisory: https://github.com/wasm3/wasm3/security/advisories

Restart Required: Yes

Instructions:

1. Update Wasm3 to version 0.5.1 or later. 2. Recompile any applications using Wasm3. 3. Restart affected services.

🔧 Temporary Workarounds

Disable untrusted WebAssembly execution

all

Prevent loading of untrusted WebAssembly modules

Run with reduced privileges

linux

Execute Wasm3 with minimal system permissions

sudo -u nobody ./wasm3_app

🧯 If You Can't Patch

Implement strict input validation for WebAssembly modules
Deploy application sandboxing/containerization to limit blast radius

🔍 How to Verify

Check if Vulnerable:

Check if Wasm3 version is exactly 0.5.0

Check Version:

wasm3 --version

Verify Fix Applied:

Verify Wasm3 version is 0.5.1 or later

📡 Detection & Monitoring

Log Indicators:

Segmentation faults
Memory access violation errors
Abnormal process termination

Network Indicators:

Unexpected WebAssembly module uploads
Suspicious module loading patterns

SIEM Query:

process.name:"wasm3" AND (event.action:"segmentation_fault" OR event.action:"memory_violation")

📊 Metadata

CVE ID: CVE-2021-38592

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: August 12, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33554 Issue Tracking,Third Party Advisory
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/wasm3/OSV-2021-676.yaml Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33554 Issue Tracking,Third Party Advisory
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/wasm3/OSV-2021-676.yaml Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38592, you might also want to check these: