CVE-2026-34983

Name of the Vulnerable Software and Affected Versions Wasmtime versions 43.0.0 through 43.0.0

Description Wasmtime, a runtime for WebAssembly, contains a flaw where cloning a wasmtime::Linker can lead to use-after-free bugs. This issue is not triggered by guest Wasm programs but requires a specific sequence of host embedder API calls. The vulnerability occurs when a wasmtime::Linker is cloned, the original instance is dropped, and the cloned instance is subsequently used. This can result in a segfault. The issue was introduced during an internal refactoring related to robust allocation failure handling and a string-interning pool with an unsound TryClone implementation.

Recommendations Upgrade to Wasmtime version 43.0.1. As a temporary workaround, avoid cloning wasmtime::Linker and instead create a new wasmtime::Linker and manually reregister the host APIs from the original linker.