Skip to main content

Wasmtime EUVDEUVD-2026-21029

| CVE-2026-34983 LOW
Use After Free (CWE-416)
2026-04-09 GitHub_M GHSA-hfr4-7c6c-48w2
1.0
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.0 LOW
CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
High
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:15 euvd
EUVD-2026-21029
Analysis Generated
Apr 09, 2026 - 19:15 vuln.today
CVE Published
Apr 09, 2026 - 18:47 nvd
LOW 1.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 pypi packages depend on wasmtime (3 direct, 7 indirect)

Ecosystem-wide dependent count for version 43.0.0.

DescriptionGitHub Advisory

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.

AnalysisAI

Wasmtime 43.0.0 contains a use-after-free vulnerability in the Linker cloning mechanism that allows host embedders to trigger memory corruption through a specific sequence of API calls: cloning a wasmtime::Linker, dropping the original instance, and then using the cloned instance. This vulnerability is not exploitable by guest WebAssembly programs and requires deliberate misuse of the host API. The flaw is fixed in Wasmtime 43.0.1. Despite the use-after-free nature (CWE-416), the CVSS 4.0 score of 1.0 reflects the extremely limited attack surface: physical or local access is required (AV:P), attack complexity is high (AC:H), high privilege level is needed (PR:H), and user interaction is required (UI:A), resulting in minimal confidentiality, integrity, and availability impact.

Technical ContextAI

Wasmtime is a WebAssembly runtime maintained by the Bytecode Alliance that provides host embedders with a programmatic API to instantiate and execute WebAssembly modules. The vulnerability resides in the implementation of the wasmtime::Linker clone operation, which is part of the embedder-facing Rust API (not exposed to guest Wasm programs). The root cause (CWE-416: Use After Free) indicates that the cloning logic fails to properly manage lifetime semantics for internal state, likely involving dangling pointers or references. When a cloned Linker instance is used after the original has been dropped, the cloned instance references memory that has been freed, enabling classic use-after-free exploitation patterns such as information disclosure or code execution. This is a soundness violation in Rust's safety abstractions at the FFI/embedder boundary.

RemediationAI

Vendor-released patch: Wasmtime 43.0.1 fixes the use-after-free in the Linker clone operation. All users of Wasmtime 43.0.0 should upgrade to 43.0.1 immediately. Users running versions prior to 43.0.0 should confirm their version and upgrade if they have deployed 43.0.0 in production. No workarounds are available; the patch is the only remediation. Full details and remediation guidance are provided in the GitHub security advisory at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2.

CVE-2023-26489 CRITICAL
9.9 Mar 08

wasmtime is a fast and secure runtime for WebAssembly. Rated critical severity (CVSS 9.9), this vulnerability is remotel

CVE-2022-39394 CRITICAL
9.8 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2022-24791 CRITICAL
9.8 Mar 31

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. Rated critical severity (CVSS 9.8), this vu

CVE-2024-30266 MEDIUM POC
5.5 Apr 04

wasmtime is a runtime for WebAssembly. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Pu

CVE-2026-34971 CRITICAL
9.0 Apr 09

Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, a

CVE-2023-30624 HIGH
8.8 Apr 27

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-31146 HIGH
8.8 Jul 21

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2022-39393 HIGH
8.6 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 8.6), this vulnerability is remotely exploit

CVE-2026-27572 HIGH
7.5 Feb 24

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowin

CVE-2026-27195 HIGH
7.5 Feb 24

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are c

CVE-2022-31169 HIGH
7.5 Jul 22

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2022-39392 HIGH
7.4 Nov 10

Wasmtime is a standalone runtime for WebAssembly. Rated high severity (CVSS 7.4), this vulnerability is remotely exploit

Share

EUVD-2026-21029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy