CVE-2021-39219

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 0.30.0

Description A type confusion vulnerability was discovered in the safe API of Linker::func * APIs. This issue occurs when one Engine is used to create the Linker and then a different Engine is used to create a Store and then the Linker is used to instantiate a module into that Store. Cross-Engine usage of functions is not supported in Wasmtime and this can result in type confusion of function pointers, resulting in being able to safely call a function with the wrong type. Additionally, there was an invalid free and out-of-bounds read and write bug when running Wasm that uses externrefs in Wasmtime. The impact of these issues is expected to be relatively small because usage of more-than-one Engine in an embedding and usage of externref is currently quite rare.

Recommendations To resolve the issue, upgrade to Wasmtime version 0.30.0. If you cannot upgrade Wasmtime and are using more than one Engine in your embedding, use only one Engine for the entire program if possible. If using multiple Engines is required, audit the code to ensure that Linker is only used with one Engine. If you cannot upgrade Wasmtime and are using externrefs, disable reference types support in Wasmtime by passing false to wasmtime::Config::wasm reference types.