fix(aap): fix possible memory corruption in WAF context [backport 4.5] (#16755)

dd-octo-sts[bot] · github-actions[bot] · christophe-papazian · web-flow · commit 5d48b8ead4ac · 2026-03-05T12:14:54.000Z
Backport #16740 to 4.5 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Christophe Papazian <114495376+christophe-papazian@users.noreply.github.com>
diff --git a/ddtrace/appsec/_ddwaf/waf.py b/ddtrace/appsec/_ddwaf/waf.py
@@ -183,7 +183,8 @@ def run(
         observator = _observator()
         wrapper = ddwaf_object(data, observator=observator)
         wrapper_ephemeral = ddwaf_object(ephemeral_data, observator=observator) if ephemeral_data else None
-        error = ddwaf_run(ctx.ctx, wrapper, wrapper_ephemeral, result_obj, int(timeout_ms * 1000))
+        with ctx._lock:
+            error = ddwaf_run(ctx.ctx, wrapper, wrapper_ephemeral, result_obj, int(timeout_ms * 1000))
         if error < 0:
             LOGGER.debug("run DDWAF error: %d\ninput %s\nerror %s", error, wrapper.struct, self.info.errors)
         result = result_obj.struct
diff --git a/ddtrace/appsec/_ddwaf/waf_stubs.py b/ddtrace/appsec/_ddwaf/waf_stubs.py
@@ -11,6 +11,7 @@
 from ddtrace.appsec._constants import DEFAULT
 from ddtrace.appsec._utils import DDWaf_info
 from ddtrace.appsec._utils import DDWaf_result
+from ddtrace.internal._unpatched import threading_Lock
 from ddtrace.internal.logger import get_logger
 from ddtrace.internal.remoteconfig import PayloadType
 
@@ -46,6 +47,12 @@ def __init__(self, ctx: type[T], free_fn: Callable[[type[T]], None]) -> None:
         self.ctx = ctx
         self.free_fn = free_fn
         self.rc_products: str = ""
+        # AIDEV-NOTE: This lock serializes concurrent ddwaf_run calls on the same context.
+        # ctypes foreign function calls release the Python GIL, allowing thread pool workers
+        # (run_in_executor) to call the WAF simultaneously with the event loop thread when both
+        # inherit the same ddwaf_context via contextvars propagation. libddwaf's ddwaf_context
+        # is not thread-safe for concurrent runs, so we must serialize them here.
+        self._lock: threading_Lock = threading_Lock()
 
     def __del__(self):
         if self.ctx:
diff --git a/releasenotes/notes/appsec-fix-waf-concurrent-access-memory-corruption-a5a06cc057be4c0f.yaml b/releasenotes/notes/appsec-fix-waf-concurrent-access-memory-corruption-a5a06cc057be4c0f.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    AAP: Fixes a memory corruption issue where concurrent calls to the WAF
+    on the same request context from multiple threads (e.g. an asyncio event loop
+    and a thread pool executor inheriting the same context via ``contextvars``)
+    could cause use-after-free or double-free crashes (SIGSEGV) inside
+    ``libddwaf``. A per-context lock now serializes WAF calls on the same context.
