Wasmtime has use-after-free bug after cloning `wasmtime::Linker`

Description

Impact

In version 43.0.0 of the wasmtime crate, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs.

This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host.

The typical symptom of this use-after-free bug is a segfault. It does not enable heap corruption or data leakage.

If you are using the wasmtime CLI, rather than the embedding API, you are not affected. If you are using the embedding API but are not calling wasmtime::Linker's Clone implementation, you are not affected.

Specifically, the following steps must occur to trigger the bug:

  • Clone a wasmtime::Linker
  • Drop the original linker instance
  • Use the new, cloned linker instance, resulting in a use-after-free

Patches

This bug has been patched in Wasmtime version 43.0.1

Workarounds

Wasmtime embedders are highly encouraged to upgrade their wasmtime crate dependency.

If upgrading is not an option, or as a temporary workaround before upgrading, you can avoid this bug by not cloning wasmtime::Linker and instead creating a new, empty wasmtime::Linker and manually reregistering the host APIs from the original linker:

use wasmtime::{Linker, Result, Store};

fn clone_linker<T>(linker: &Linker<T>, store: &mut Store<T>) -> Result<Linker<T>> {
    let mut cloned = Linker::new();
    for (module, name, item) in linker.iter(store) {
        cloned.define(module, name, item)?;
    }
    Ok(cloned)
}

References

This bug was introduced during an internal refactoring that was part of our efforts to robustly handle allocation failure in Wasmtime. This refactoring introduced an string-interning pool which had an unsound TryClone[^try-clone] implementation.

[^try-clone]: The TryClone trait is our version of the Rust standard library's Clone trait that allows for returning OutOfMemory errors.

  • The StringPool was introduced in https://github.com/bytecodealliance/wasmtime/pull/12536, at which time the bug in TryClone for StringPool was already present, although this code path was not yet used anywhere.
  • wasmtime::Linker was refactored to internally use StringPool in https://github.com/bytecodealliance/wasmtime/pull/12537, at which time the buggy code path became accessible.
  • This bug was originally reported to the Wasmtime maintainers as https://github.com/bytecodealliance/wasmtime/pull/12906

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-09 20:23:44 UTC
Updated
2026-06-08 20:00:38 UTC
GitHub reviewed
2026-04-09 20:23:44 UTC
NVD published
2026-04-09

EPSS Score

Score Percentile
0.01% 0.24%

CVSS Scores

Base score Version Severity Vector
1.0 4.0
CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:P)
Physical access is required.
Attack complexity (AC:H)
Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:A)
User interaction is required in an active way.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:L)
Limited availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-416 Use After Free

Credits

  • flavio (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust wasmtime = 43.0.0 43.0.1

References

cvelogic Threat Intelligence