CVE-2020-35859

Root

Cause

The vulnerability in the lucet-runtime-internals crate (before 0.5.1) is a memory layout bug in signal stack (sigstack) allocation. The signal stack was placed one page after the start of the globals section without accounting for the actual size of the globals. As a result, when the globals size was larger than the default (one page), the signal stack could overlap with the globals region [3]. Additionally, the signal stack lacked a proper guard page, further increasing the risk of memory corruption.

Exploitation

The flaw is reachable without any authentication or user interaction (CVSS 3.1 base score 9.1, CRITICAL). An attacker who can control or influence a guest WebAssembly program can exploit the overlapping memory regions. The bug is triggered during runtime execution; a malicious guest program could read or write past the intended signal stack boundaries, either leaking residual stack data or corrupting adjacent memory used by the guest or the runtime [1][2].

Impact

Successful exploitation leads to two classes of impact: memory exposure (confidentiality) and memory corruption (availability). The guest program could observe sensitive information left on the signal stack by previous operations, or it could corrupt the globals segment, causing undefined behavior or crashes in the runtime. The official advisory rates confidentiality and availability as High, with Integrity unaffected [2].

Mitigation

The fix was implemented in pull request #401 and released in version 0.5.1 of lucet-runtime-internals. Users should upgrade to 0.5.1 or apply the patch to correct the sigstack offset calculation and add the missing guard page [2][3]. Note that the Lucet project has reached end-of-life; all users are transitioned to Wasmtime, which does not contain this vulnerability [4].