Description
Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.
Published: 2026-04-09
Score: 1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free leading to potential memory corruption
Action: Patch
AI Analysis

Impact

In Wasmtime 43.0.0 a host‑side error in the linker cloning API can trigger a use‑after‑free. When a program clones a wasmtime::Linker, later drops the original instance, and continues to use the cloned instance, the runtime accesses memory that has already been released, causing unpredictable behavior such as crashes or memory corruption. The flaw cannot be activated by guest WebAssembly code; the attack vector requires specific host API calls.

Affected Systems

The affected product is the Wasmtime runtime supplied by Bytecodealliance, version 43.0.0. Any application that embeds this release and performs the clone‑then‑drop sequence – for example, servers, virtual machine managers, or embedded runtimes – may be vulnerable. Version 43.0.1 and later contain the fix.

Risk and Exploitability

The CVSS score is 1, indicating a low severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Because the flaw is triggered solely by host code under a very specific API sequence, remote exploitation is unlikely, though a compromised or malicious host could still experience instability or denial of service.

Generated by OpenCVE AI on April 10, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wasmtime runtime to version 43.0.1 or later where the bug is fixed.
  • If an upgrade is not immediately feasible, review host code to avoid dropping an original linker immediately after cloning; keep the original instance alive until the cloned instance is no longer used.
  • Verify that applications no longer exercise the clone‑then‑drop pattern after the upgrade.
  • Monitor the Bytecodealliance release channel for any additional advisories and apply future patches as they become available.

Generated by OpenCVE AI on April 10, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hfr4-7c6c-48w2 Wasmtime has use-after-free bug after cloning `wasmtime::Linker`
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.
Title Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T18:47:26.575Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34983

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T19:16:24.850

Modified: 2026-04-09T19:16:24.850

Link: CVE-2026-34983

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-09T18:47:26Z

Links: CVE-2026-34983 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:36Z

Weaknesses