CVE-2026-34983

MEDIUM

Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`

Title source: cna

Description

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.

References (1)

[X_Refsource_Confirm] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2

Scores

CVSS v3 5.0

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-416

Status published

Products (3)

bytecodealliance/wasmtime 43.0.0

bytecodealliance/wasmtime >= 43.0.0, < 43.0.1

crates.io/wasmtime 43.0.0 - 43.0.1crates.io

Published Apr 09, 2026

Tracked Since Apr 10, 2026