Alex Crichton

**Name of the Vulnerable Software and Affected Versions** Wasmtime versions 39.0.0 through 41.0.3 **Description** Wasmtime, a runtime for WebAssembly, can experience a panic when the host embedder drops the future returned by `wasmtime::component::[Typed]Func::call async` before it resolves, and then calls the same function again with the same component instance. This occurs because the component instance enters a non-reenterable state, leading to a trap and subsequent panic during task disposal. The issue arises from a bug in the implementation of `[Typed]Func::call async` introduced with the `component-model-async` feature, which became the default starting with version 39.0.0. The `API Endpoint` involved is `wasmtime::component::[Typed]Func::call async`. The `variable` representing the returned future is not explicitly named, but its improper handling triggers the issue. The issue does not affect embeddings with the `component-model-async` compile-time feature disabled. **Recommendations** Wasmtime versions 39.0.0 through 40.0.3 should be updated to version 40.0.4 or 41.0.4. Wasmtime versions 40.0.4 through 41.0.3 should be updated to version 41.0.4. If an embedding is not using any component-model-async features, disable the `component-model-async` Cargo feature. Ensure every `call async` future is awaited until it completes. Refrain from using the `Store` again after dropping a not-yet-resolved `call async` future.