CVE-2026-34983

Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`

Description

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.

INFO

Published Date :

2026-04-09T18:47:26.575Z

Last Modified :

2026-04-09T18:47:26.575Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-34983 vulnerability.

Vendors	Products
Bytecodealliance	Wasmtime

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34983.

URL	Resource
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability