CVE-2021-32629

HIGHNVD 7.27.2
EchelonGraph scoreMEDIUM confidence

This high-severity CVE scores 7.2 under NVD CVSS v3. EPSS exploit probability: 0.1%, top 79% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: epss, nvd
7.2
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.2Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in a Wasm program. This bug was introduced in the new backend on 2020-09-08 and first included in a release on 2020-09-30, but the new backend was not the default prior to 0.73. The recently-released version 0.73 with default settings, and prior versions with an explicit build flag to select the new backend, are vulnerable. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, under a specific set of circumstances. If those circumstances occur, the bug could allow access to memory addresses upto 2GiB before the start of the Wasm program heap. If the heap bound is larger than 2GiB, then it would be possible to read memory from a computable range dependent on the size of the heaps bound. The impact of this bug is highly dependent on heap implementation, specifically: * if the heap has bounds checks, and * does not rely exclusively on guard pages, and * the heap bound is 2GiB or smaller * then this bug cannot be used to reach memory from another Wasm program heap. The impact of the vulnerability is mitigated if there is no memory mapped in the range accessible using this bug, for example, if there is a 2 GiB guard region before the Wasm program heap. The bug in question performs a sign-extend instead of a zero-extend on a value loaded from the stack, when the register allocator reloads a spilled integer value narrower than 64 bits. This interacts poorly with another optimization: the instruction selector elides a 32-to-64-bit zero-extend operator when we know that an instruction producing a 32-bit value actually zeros the upper 32 bits of its destination register. Hence, we rely on these zeroed bits, but the type of the value is still i32, and the spill/reload reconstitutes those bits as the sign extension of the i32’s MSB. The issue would thus occur when: * An i32 value in a Wasm program is greater than or equal to 0x8000_0000; * The value is spilled and reloaded by the register allocator due to high register pressure in the program between the value’s definition and its use; * The value is produced by an instruction that we know to be “special” in that it zeroes the upper 32 bits of its destination: add, sub, mul, and, or; * The value is then zero-extended to 64 bits in the Wasm program; * The resulting 64-bit value is used. Under these circumstances there is a potential sandbox escape when the i32 value is a pointer. The usual code emitted for heap accesses zero-extends the Wasm heap address, adds it to a 64-bit heap base, and accesses the resulting address. If the zero-extend becomes a sign-extend, the program could reach backward and access memory up to 2GiB before the start of its heap. In addition to assessing the nature of the code generation bug in Cranelift, we have also determined that under specific circumstances, both Lucet and Wasmtime using this version of Cranelift may be exploitable. See referenced GitHub Advisory for more details.

CVSS v3
7.2
EG Score
7.2(medium)
EPSS
36.5%
KEV
Not listed

Published

May 24, 2021

Last Modified

November 21, 2024

Affected Packages

(2 across 2 ecosystems)
crates.io(1)
PackageVulnerable rangeFixed inDependents
cranelift-codegen0.73.1
PyPI(1)
PackageVulnerable rangeFixed inDependents
wasmtime0.0.1 ... 0.9.0 (21 versions)0.27.0

Weakness Classification(3)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 9× in last 7d / 45× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-11 08:25 UTCEPSS rescore
  2. 2026-07-11 08:25 UTCEPSS rescore
  3. 2026-07-09 19:07 UTCEPSS rescore
  4. 2026-07-08 15:12 UTCEPSS rescore
  5. 2026-07-07 13:43 UTCEPSS rescore
  6. 2026-07-06 16:25 UTCEPSS rescore
  7. 2026-07-06 02:21 UTCEPSS rescore
  8. 2026-07-05 02:28 UTCEPSS rescore
  9. 2026-07-05 02:28 UTCEPSS rescore
  10. 2026-07-04 06:29 UTCEPSS rescore
  11. 2026-07-04 06:29 UTCEPSS rescore
  12. 2026-07-01 15:04 UTCEPSS rescore
  13. 2026-07-01 02:48 UTCOSV refresh
  14. 2026-06-30 23:20 UTCEPSS rescore
  15. 2026-06-30 23:20 UTCEPSS rescore
  16. 2026-06-29 14:04 UTCEPSS rescore
  17. 2026-06-28 14:05 UTCEPSS rescore
  18. 2026-06-28 04:54 UTCEPSS rescore
  19. 2026-06-28 04:54 UTCEPSS rescore
  20. 2026-06-27 03:06 UTCEPSS rescore
  21. 2026-06-25 13:48 UTCEPSS rescore
  22. 2026-06-25 13:48 UTCEPSS rescore
  23. 2026-06-24 14:03 UTCEPSS rescore
  24. 2026-06-24 14:03 UTCEPSS rescore
  25. 2026-06-23 21:31 UTCEPSS rescore
Show 56 more
  1. 2026-06-23 21:31 UTCEPSS rescore
  2. 2026-06-22 14:24 UTCEPSS rescore
  3. 2026-06-22 14:24 UTCEPSS rescore
  4. 2026-06-21 14:55 UTCEPSS rescore
  5. 2026-06-21 01:58 UTCEPSS rescore
  6. 2026-06-21 01:58 UTCEPSS rescore
  7. 2026-06-19 19:24 UTCEPSS rescore
  8. 2026-06-19 19:24 UTCEPSS rescore
  9. 2026-06-18 17:51 UTCEPSS rescore
  10. 2026-06-18 17:51 UTCEPSS rescore
  11. 2026-06-17 17:51 UTCEPSS rescore
  12. 2026-06-16 17:51 UTCEPSS rescore
  13. 2026-06-16 17:51 UTCEPSS rescore
  14. 2026-06-15 17:46 UTCEPSS rescore
  15. 2026-06-14 23:15 UTCEPSS rescore
  16. 2026-06-13 22:58 UTCEPSS rescore
  17. 2026-06-13 22:58 UTCEPSS rescore
  18. 2026-06-13 05:13 UTCOSV refresh
  19. 2026-06-12 23:10 UTCEPSS rescore
  20. 2026-06-12 23:10 UTCEPSS rescore
  21. 2026-06-11 13:58 UTCEPSS rescore
  22. 2026-06-10 22:16 UTCEPSS rescore
  23. 2026-06-10 13:20 UTCEPSS rescore
  24. 2026-06-08 14:15 UTCEPSS rescore
  25. 2026-06-08 14:15 UTCEPSS rescore
  26. 2026-06-07 15:23 UTCEPSS rescore
  27. 2026-06-07 15:23 UTCEPSS rescore
  28. 2026-06-06 13:46 UTCEPSS rescore
  29. 2026-06-06 13:46 UTCEPSS rescore
  30. 2026-06-06 13:46 UTCEPSS rescore
  31. 2026-06-05 22:45 UTCEPSS rescore
  32. 2026-06-05 06:09 UTCEPSS rescore
  33. 2026-06-05 06:09 UTCEPSS rescore
  34. 2026-06-04 13:10 UTCEPSS rescore
  35. 2026-06-04 13:10 UTCEPSS rescore
  36. 2026-06-02 20:11 UTCEPSS rescore
  37. 2026-06-02 20:11 UTCEPSS rescore
  38. 2026-06-01 13:50 UTCEPSS rescore
  39. 2026-06-01 13:50 UTCEPSS rescore
  40. 2026-05-31 22:29 UTCEPSS rescore
  41. 2026-05-31 22:29 UTCEPSS rescore
  42. 2026-05-31 00:15 UTCEPSS rescore
  43. 2026-05-31 00:15 UTCEPSS rescore
  44. 2026-05-29 13:42 UTCEPSS rescore
  45. 2026-05-29 13:42 UTCEPSS rescore
  46. 2026-05-28 13:43 UTCEPSS rescore
  47. 2026-05-28 13:43 UTCEPSS rescore
  48. 2026-05-27 13:39 UTCEPSS rescore
  49. 2026-05-27 13:39 UTCEPSS rescore
  50. 2026-05-27 13:39 UTCEPSS rescore
  51. 2026-05-26 16:12 UTCEG score recompute
  52. 2026-05-26 13:42 UTCEPSS rescore
  53. 2026-05-26 07:17 UTCEPSS rescore
  54. 2026-05-26 07:17 UTCEPSS rescore
  55. 2026-05-26 07:17 UTCEPSS rescore
  56. 2026-05-23 08:31 UTCOSV refresh

Frequently asked(5)

What is CVE-2021-32629?
CVE-2021-32629 is a high vulnerability published on May 24, 2021. Cranelift is an open-source code generator maintained by Bytecode Alliance. It translates a target-independent intermediate representation into executable machine code. There is a bug in 0.73 of the Cranelift x64 backend that can create a scenario that could result in a potential sandbox escape in…
When was CVE-2021-32629 disclosed?
CVE-2021-32629 was first published in the National Vulnerability Database on May 24, 2021, with the most recent update on November 21, 2024. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2021-32629 actively exploited?
CVE-2021-32629 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 36.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2021-32629?
CVE-2021-32629 has a CVSS v3 base score of 7.2 (NVD).
How do I remediate CVE-2021-32629?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2021-32629, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-32629

Explore →

Is Your Infrastructure Affected by CVE-2021-32629?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.