Vulnerability-Lookup

PYSEC-2026-151

Vulnerability from pysec - Published: 2026-04-09 19:16 - Updated: 2026-05-20 09:19

Details

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.

Severity ?

5.0 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Impacted products

Name	purl
wasmtime	pkg:pypi/wasmtime

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wasmtime",
        "purl": "pkg:pypi/wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {}
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.0.2",
        "0.11.0",
        "0.12.0",
        "0.15.0",
        "0.15.1",
        "0.16.0",
        "0.16.1",
        "0.17.0",
        "0.18.0",
        "0.18.1",
        "0.18.2",
        "0.19.0",
        "0.20.0",
        "0.21.0",
        "0.22.0",
        "0.23.0",
        "0.24.0",
        "0.25.0",
        "0.26.0",
        "0.27.0",
        "0.28.0",
        "0.28.1",
        "0.29.0",
        "0.30.0",
        "0.31.0",
        "0.32.0",
        "0.33.0",
        "0.34.0",
        "0.35.0",
        "0.36.0",
        "0.37.0",
        "0.38.0",
        "0.39.1",
        "0.40.0",
        "0.9.0",
        "1.0.0",
        "1.0.1",
        "10.0.0",
        "10.0.1",
        "11.0.0",
        "12.0.0",
        "13.0.0",
        "13.0.1",
        "13.0.2",
        "14.0.0",
        "15.0.0",
        "16.0.0",
        "17.0.0",
        "17.0.1",
        "18.0.0",
        "18.0.2",
        "19.0.0",
        "2.0.0",
        "20.0.0",
        "21.0.0",
        "22.0.0",
        "23.0.0",
        "24.0.0",
        "25.0.0",
        "27.0.0",
        "27.0.1",
        "27.0.2",
        "28.0.0",
        "29.0.0",
        "3.0.0",
        "30.0.0",
        "31.0.0",
        "32.0.0",
        "33.0.0",
        "34.0.0",
        "35.0.0",
        "36.0.0",
        "37.0.0",
        "38.0.0",
        "39.0.0",
        "4.0.0",
        "40.0.0",
        "41.0.0",
        "42.0.0",
        "43.0.0",
        "44.0.0",
        "5.0.0",
        "6.0.0",
        "7.0.0",
        "8.0.0",
        "8.0.1",
        "9.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34983",
    "GHSA-hfr4-7c6c-48w2"
  ],
  "details": "Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.",
  "id": "PYSEC-2026-151",
  "modified": "2026-05-20T09:19:23.560564Z",
  "published": "2026-04-09T19:16:24.850Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2026-34983 (GCVE-0-2026-34983)

Vulnerability from cvelistv5 – Published: 2026-04-09 18:47 – Updated: 2026-04-13 15:38

Title

Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`

Summary

Severity ?

1 (Low)


                        
                          CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE

CWE-416 - Use After Free

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/bytecodealliance/wasmtime/secu…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
bytecodealliance	wasmtime	Affected: >= 43.0.0, < 43.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34983",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T15:28:37.718395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T15:38:33.779Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 43.0.0, \u003c 43.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 1,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T18:47:26.575Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2"
        }
      ],
      "source": {
        "advisory": "GHSA-hfr4-7c6c-48w2",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34983",
    "datePublished": "2026-04-09T18:47:26.575Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-13T15:38:33.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-HFR4-7C6C-48W2

Vulnerability from github – Published: 2026-04-09 20:23 – Updated: 2026-04-10 14:39

Summary

Wasmtime has use-after-free bug after cloning `wasmtime::Linker`

Details

Impact

In version 43.0.0 of the wasmtime crate, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs.

This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host.

The typical symptom of this use-after-free bug is a segfault. It does not enable heap corruption or data leakage.

If you are using the wasmtime CLI, rather than the embedding API, you are not affected. If you are using the embedding API but are not calling wasmtime::Linker's Clone implementation, you are not affected.

Specifically, the following steps must occur to trigger the bug:

Clone a wasmtime::Linker
Drop the original linker instance
Use the new, cloned linker instance, resulting in a use-after-free

Patches

This bug has been patched in Wasmtime version 43.0.1

Workarounds

Wasmtime embedders are highly encouraged to upgrade their wasmtime crate dependency.

If upgrading is not an option, or as a temporary workaround before upgrading, you can avoid this bug by not cloning wasmtime::Linker and instead creating a new, empty wasmtime::Linker and manually reregistering the host APIs from the original linker:

use wasmtime::{Linker, Result, Store};

fn clone_linker<T>(linker: &Linker<T>, store: &mut Store<T>) -> Result<Linker<T>> {
    let mut cloned = Linker::new();
    for (module, name, item) in linker.iter(store) {
        cloned.define(module, name, item)?;
    }
    Ok(cloned)
}

References

This bug was introduced during an internal refactoring that was part of our efforts to robustly handle allocation failure in Wasmtime. This refactoring introduced an string-interning pool which had an unsound TryClone[^try-clone] implementation.

[^try-clone]: The TryClone trait is our version of the Rust standard library's Clone trait that allows for returning OutOfMemory errors.

The StringPool was introduced in https://github.com/bytecodealliance/wasmtime/pull/12536, at which time the bug in TryClone for StringPool was already present, although this code path was not yet used anywhere.
wasmtime::Linker was refactored to internally use StringPool in https://github.com/bytecodealliance/wasmtime/pull/12537, at which time the buggy code path became accessible.
This bug was originally reported to the Wasmtime maintainers as https://github.com/bytecodealliance/wasmtime/pull/12906

Severity ?

1.0 (Low)


                  
                    CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "43.0.0"
            },
            {
              "fixed": "43.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "43.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T20:23:44Z",
    "nvd_published_at": "2026-04-09T19:16:24Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nIn version 43.0.0 of the `wasmtime` crate, cloning a `wasmtime::Linker` is unsound and can result in use-after-free bugs.\n\nThis bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host.\n\nThe typical symptom of this use-after-free bug is a segfault. It does not enable heap corruption or data leakage.\n\nIf you are using the `wasmtime` CLI, rather than the embedding API, you are not affected. If you are using the embedding API but are not calling `wasmtime::Linker`\u0027s `Clone` implementation, you are not affected.\n\nSpecifically, the following steps must occur to trigger the bug:\n\n* Clone a `wasmtime::Linker`\n* Drop the original linker instance\n* Use the new, cloned linker instance, resulting in a use-after-free\n\n### Patches\n\nThis bug has been patched in Wasmtime version 43.0.1\n\n### Workarounds\n\nWasmtime embedders are highly encouraged to upgrade their `wasmtime` crate dependency.\n\nIf upgrading is not an option, or as a temporary workaround before upgrading, you can avoid this bug by not cloning `wasmtime::Linker` and instead creating a new, empty `wasmtime::Linker` and manually reregistering the host APIs from the original linker:\n\n```rust\nuse wasmtime::{Linker, Result, Store};\n\nfn clone_linker\u003cT\u003e(linker: \u0026Linker\u003cT\u003e, store: \u0026mut Store\u003cT\u003e) -\u003e Result\u003cLinker\u003cT\u003e\u003e {\n    let mut cloned = Linker::new();\n    for (module, name, item) in linker.iter(store) {\n        cloned.define(module, name, item)?;\n    }\n    Ok(cloned)\n}\n```\n\n### References\n\nThis bug was introduced during an internal refactoring that was part of our efforts to [robustly handle allocation failure in Wasmtime](https://github.com/bytecodealliance/wasmtime/issues/12069). This refactoring introduced an string-interning pool which had an unsound `TryClone`[^try-clone] implementation.\n\n[^try-clone]: [The `TryClone` trait](https://github.com/bytecodealliance/wasmtime/blob/33e8b3d955697587b23cf39d87fbcbdb4d26b0c9/crates/core/src/alloc/try_clone.rs#L5-L17) is our version of the Rust standard library\u0027s `Clone` trait that allows for returning `OutOfMemory` errors.\n\n* The `StringPool` was introduced in https://github.com/bytecodealliance/wasmtime/pull/12536, at which time the bug in `TryClone for StringPool` was already present, although this code path was not yet used anywhere.\n* `wasmtime::Linker` was refactored to internally use `StringPool` in https://github.com/bytecodealliance/wasmtime/pull/12537, at which time the buggy code path became accessible.\n* This bug was originally reported to the Wasmtime maintainers as https://github.com/bytecodealliance/wasmtime/pull/12906",
  "id": "GHSA-hfr4-7c6c-48w2",
  "modified": "2026-04-10T14:39:54Z",
  "published": "2026-04-09T20:23:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34983"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0090.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wasmtime has use-after-free bug after cloning `wasmtime::Linker`"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2026-151

CVE-2026-34983 (GCVE-0-2026-34983)

GHSA-HFR4-7C6C-48W2

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature