Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug could allow access to memory addresses upto 2GiB before the start of the Wasm program heap. If the heap bound is larger than 2GiB, then it would be possible to read memory from a computable range dependent on the size of the heaps bound. The impact of this bug is highly dependent on heap implementation, specifically: * if the heap has bounds checks, and * does not rely exclusively on guard pages, and * the heap bound is 2GiB or smaller * then this bug cannot be used to reach memory from another Wasm program heap. The impact of the vulnerability is mitigated if there is no memory mapped in the range accessible using this bug, for example, if there is a 2 GiB guard region before the Wasm program heap. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, when the register allocator reloads a spilled integer value narrower than 64 bits. This interacts poorly with another optimization: the instruction selector elides a 32-to-64-bit zero-extend operator when we know that an instruction producing a 32-bit value actually zeros the upper 32 bits of its destination register. Hence, we rely on these zeroed bits, but the type of the value is still i32, and the spill/reload reconstitutes those bits as the sign extension of the i32’s MSB. The issue would thus occur when: * An i32 value in a Wasm program is greater than or equal to 0x8000_0000; * The value is spilled and reloaded by the register allocator due to high register pressure in the program between the value’s definition and its use; * The value is produced by an instruction that we know to be “special” in that it zeroes the upper 32 bits of its destination: add, sub, mul, and, or; * The value is then zero-extended to 64 bits in the Wasm program; * The resulting 64-bit value is used. Under these circumstances there is a potential sandbox escape when the i32 value is a pointer. The usual code emitted for heap accesses zero-extends the Wasm heap address, adds it to a 64-bit heap base, and accesses the resulting address. If the zero-extend becomes a sign-extend, the program could reach backward and access memory up to 2GiB before the start of its heap. In addition to assessing the nature of the code generation bug in Cranelift, we have also determined that under specific circumstances, both Lucet and Wasmtime using this version of Cranelift may be exploitable. See referenced GitHub Advisory for more details.
CVE-2021-32629
This high-severity CVE scores 7.2 under NVD CVSS v3. EPSS exploit probability: 0.1%, top 79% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.2
- EG Score
- 7.2(medium)
- EPSS
- 36.5%
- KEV
- Not listed
Published
May 24, 2021
Last Modified
November 21, 2024
References (8)
- security-advisories@githubhttps://crates.io/crates/cranelift-codegen
- security-advisories@githubhttps://github.com/bytecodealliance/wasmtime/commit/95559c01aaa7c061088a433040f31e8291fb09d0
- security-advisories@githubhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5
- security-advisories@githubhttps://www.fastly.com/security-advisories/memory-access-due-to-code-generation-flaw-in-cranelift-module
- af854a3a-2127-422b-91ae-364da2661108https://crates.io/crates/cranelift-codegen
- af854a3a-2127-422b-91ae-364da2661108https://github.com/bytecodealliance/wasmtime/commit/95559c01aaa7c061088a433040f31e8291fb09d0
- af854a3a-2127-422b-91ae-364da2661108https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5
- af854a3a-2127-422b-91ae-364da2661108https://www.fastly.com/security-advisories/memory-access-due-to-code-generation-flaw-in-cranelift-module
Affected Packages
(2 across 2 ecosystems)
crates.io(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| cranelift-codegen | — | 0.73.1 | — |
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| wasmtime | 0.0.1 ... 0.9.0 (21 versions) | 0.27.0 | — |
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 9× in last 7d / 45× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-07-05 02:28 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 15:04 UTCEPSS rescore
- 2026-07-01 02:48 UTCOSV refresh
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-28 14:05 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
Show 56 moreShow fewer
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 05:13 UTCOSV refresh
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 16:12 UTCEG score recompute
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-23 08:31 UTCOSV refresh
Related CVEs(same CWE)
Same CWE
10 shownCWE-125
- CVE-2014-2898EG 9.8CRITICAL
- CVE-2014-2897EG 9.8CRITICAL
- CVE-2014-2896EG 9.8CRITICAL
- CVE-2015-9290EG 9.8CRITICAL
- CVE-1999-0006EG 9.8EPSS 96%CRITICAL
- CVE-2014-3180EG 9.1CRITICAL
- CVE-2014-1508EG 9.1EPSS 90%CRITICAL
- CVE-2014-0160NVD 7.5EG 9.0 KEVEPSS 100%HIGH
- CVE-2014-1497EG 8.8HIGH
- CVE-2011-3406EG 8.8EPSS 98%HIGH
Frequently asked(5)
What is CVE-2021-32629?
When was CVE-2021-32629 disclosed?
Is CVE-2021-32629 actively exploited?
What is the CVSS score of CVE-2021-32629?
How do I remediate CVE-2021-32629?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-32629
Is Your Infrastructure Affected by CVE-2021-32629?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.