CVE-2021-43790

Name: CVE-2021-43790
Creator: NVD / NIST
Published: 2021-11-30T00:15:07.357+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.1/10EPSS 1.57%

Last modified Jun 17, 2026

CVE-2021-43790 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. EPSS estimates a 1.57% chance of exploitation in the next 30 days.

Description

Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this bug, and dependent on the memory backing for the Instance objects, it is possible to trigger a use-after-free when the Instance is dropped. Users should upgrade to the main branch of the Lucet repository. Lucet no longer provides versioned releases on crates.io. There is no way to remediate this vulnerability without upgrading.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.57%

72.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-416

Affected Software

Vendor	Product	Versions
Bytecodealliance	Lucet	<= 0.6.1

References

https://crates.io/crates/lucet-runtimeProduct, Third Party Advisory
https://github.com/bytecodealliance/lucet/commit/7c7757c772fb709c61b1442bcc1e1fbee97bf4a8Patch, Third Party Advisory
https://github.com/bytecodealliance/lucet/security/advisories/GHSA-hf79-8hjp-rrvqExploit, Third Party Advisory
https://crates.io/crates/lucet-runtimeProduct, Third Party Advisory
https://github.com/bytecodealliance/lucet/commit/7c7757c772fb709c61b1442bcc1e1fbee97bf4a8Patch, Third Party Advisory
https://github.com/bytecodealliance/lucet/security/advisories/GHSA-hf79-8hjp-rrvqExploit, Third Party Advisory

Timeline

Published: Nov 30, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-43790?

How severe is CVE-2021-43790?

CVE-2021-43790 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 1.57% probability of exploitation in the next 30 days.

How do I fix CVE-2021-43790?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-43790?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST