CVE-2026-34983
Use-After-Free in Wasmtime Linker Clone Causes Memory Corruption
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | wasmtime | 43.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34983 is a use-after-free vulnerability in version 43.0.0 of the Rust crate wasmtime, specifically involving the cloning of the wasmtime::Linker struct.
The bug occurs when a wasmtime::Linker instance is cloned, the original instance is dropped, and then the cloned instance is used. This sequence leads to unsound behavior causing a use-after-free condition, which can result in a segmentation fault.
This vulnerability is not exploitable by guest WebAssembly programs but requires a specific sequence of host embedder API calls.
The root cause was an internal refactoring introducing a string-interning pool with an unsound implementation of a custom TryClone trait.
The issue was fixed in wasmtime version 43.0.1.
How can this vulnerability impact me? :
This vulnerability can cause a use-after-free condition leading to invalid memory access, typically resulting in a segmentation fault.
It does not lead to heap corruption or data leakage.
Only users who clone wasmtime::Linker and then drop the original before using the clone are affected.
Users of the wasmtime CLI or those not cloning Linker are not affected.
The CVSS v4 base score is low (1.0), indicating low severity and low impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises specifically when a wasmtime::Linker instance is cloned, the original instance is dropped, and then the cloned instance is used, leading to a use-after-free condition typically resulting in a segmentation fault.
Detection involves monitoring for crashes or segmentation faults in applications using wasmtime version 43.0.0 that perform cloning of the Linker struct.
Since the issue is triggered by a specific sequence of embedder API calls, there are no direct network detection commands.
To detect if your system is affected, check the wasmtime version in use and whether your code or application clones the wasmtime::Linker and drops the original before using the clone.
Suggested commands include:
- Check wasmtime version: `wasmtime --version`
- Monitor application logs for segmentation faults or crashes related to wasmtime usage.
- If you have access to the source code, search for cloning of wasmtime::Linker: `grep -r 'clone()' /path/to/your/code`
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade wasmtime to version 43.0.1 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, avoid cloning the wasmtime::Linker instance and dropping the original before using the clone.
As a workaround, create a new Linker instance and manually re-register host APIs from the original Linker by iterating over the original's definitions and redefining them in the new Linker.
Users of the wasmtime CLI or those not cloning Linker are not affected, so review your usage patterns accordingly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-34983 is a low-severity use-after-free bug in the wasmtime::Linker cloning mechanism that does not lead to data leakage or heap corruption.
Since the issue does not result in unauthorized data access, leakage, or corruption, it is unlikely to directly impact compliance with common standards and regulations such as GDPR or HIPAA, which primarily focus on protecting sensitive data confidentiality and integrity.
However, any use-after-free vulnerability could theoretically cause application instability or crashes, which might indirectly affect system availability or reliability, but this specific vulnerability has a low CVSS score and no reported system impact.