CVE-2026-34983

Publication date 10 April 2026

Last updated 10 April 2026

Ubuntu priority

Description

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-wasmtime	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-34983
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2

CVE-2026-34983

Description

Status

References

Other references

Access our resources on patching vulnerabilities