CVE-2026-34983: Use-After-Free in Wasmtime Linker StringPool
Vulnerability ID: CVE-2026-34983
CVSS Score: 1.0
Published: 2026-04-09
Wasmtime version 43.0.0 contains a use-after-free vulnerability in the StringPool component of the embedding API. The flaw emerges from an unsound implementation of the TryClone trait, leading to dangling pointers when a Linker is cloned and the original instance is dropped. The vulnerability causes segmentation faults in the host process and requires specific API interactions to trigger.
TL;DR
A use-after-free in Wasmtime 43.0.0 occurs when cloning a Linker due to shallow copying in the StringPool. Dropping the original Linker invalidates the clone's pointers, causing crashes in the host application.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-416
- Attack Vector: Physical/Local API usage
- CVSS Score: 1.0 (Low)
- Impact: Denial of Service (Process Crash)
- Exploit Status: PoC available (regression test)
- KEV Status: Not Listed
Affected Systems
- Wasmtime Embedding API (Rust)
-
Wasmtime: = 43.0.0 (Fixed in:
43.0.1)
Code Analysis
Commit: 96dde3a
Fix use-after-free in StringPool TryClone implementation by re-interning strings
Mitigation Strategies
- Upgrade Wasmtime dependency to version 43.0.1.
- Avoid invoking the
clone()method onwasmtime::Linkerinstances. - Implement manual iteration and item definition to duplicate Linker state.
Remediation Steps:
- Audit the Rust codebase for invocations of
clone()onwasmtime::Linkerobjects. - Update the
Cargo.tomlfile to specifywasmtime = "=43.0.1"(or a later patched release). - Execute
cargo update -p wasmtimeto update the specific crate version. - Recompile the host application.
- If upgrading is impossible, replace
linker.clone()with a custom function that creates a newLinkerand iterates overlinker.iter()to redefine items.
References
Read the full report for CVE-2026-34983 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)