Peterhuene

**Name of the Vulnerable Software and Affected Versions** Wasmtime versions prior to 0.34.1 and 0.33.1 **Description** A bug exists in the pooling instance allocator in Wasmtime's runtime. When a failure to instantiate an instance for a module that defines an `externref` global occurs, it results in an invalid drop of a `VMExternRef` via an uninitialized pointer. This can happen under specific conditions, including when support for the reference types proposal is enabled and a pooling allocation strategy is configured. The module must define at least one table or memory and at least one `externref` global. During instantiation, a call to `mprotect` or `VirtualAlloc` must fail, or a resource limiter must be configured in the associated `Store` and return `false` from the initial call to `memory growing` or `table growing`. The effective impact of this bug is believed to be relatively small due to the uncommon usage of `externref` and the specific conditions required to trigger the bug. **Recommendations** For versions prior to 0.34.1 and 0.33.1, upgrade to version 0.34.1 or 0.33.1 as soon as possible. If it is not possible to upgrade to version 0.34.1 or 0.33.1 of the `wasmtime` crate, disable support for the reference types proposal by passing `false` to `Config::wasm reference types`. This will prevent modules that use `externref` from being loaded entirely.