CVE-2021-39216

MEDIUM6.3EPSS 0.15%

Wrong type for `Linker`-define functions when used across two `Engine`s

Published: 9/20/2021Modified: 3/13/2026

Description

### Impact As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use `unsafe` then it should not be possible to have memory unsafety issues in their embeddings of Wasmtime. An issue was discovered in the safe API of `Linker::func_*` APIs. These APIs were previously not sound when one `Engine` was used to create the `Linker` and then a different `Engine` was used to create a `Store` and then the `Linker` was used to instantiate a module into that `Store`. Cross-`Engine` usage of functions is not supported in Wasmtime and this can result in type confusion of function pointers, resulting in being able to safely call a function with the wrong type. Triggering this bug requires using at least two `Engine` values in an embedding and then additionally using two different values with a `Linker` (one at the creation time of the `Linker` and another when instantiating a module with the `Linker`). It's expected that usage of more-than-one `Engine` in an embedding is relatively rare since an `Engine` is intended to be a globally shared resource, so the expectation is that the impact of this issue is relatively small. The fix implemented is to change this behavior to `panic!()` in Rust instead of silently allowing it. Using different `Engine` instances with a `Linker` is a programmer bug that `wasmtime` catches at runtime. ### Patches This bug has been patched and users should upgrade to Wasmtime version 0.30.0. ### Workarounds If you cannot upgrade Wasmtime and are using more than one `Engine` in your embedding it's recommended to instead use only one `Engine` for the entire program if possible. An `Engine` is designed to be a globally shared resource that is suitable to have only one for the lifetime of an entire process. If using multiple `Engine`s is required then code should be audited to ensure that `Linker` is only used with one `Engine`. ### For more information If you have any questions or comments about this advisory: * Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime) * Open an issue in [the `bytecodealliance/wasmtime` repository](https://github.com/bytecodealliance/wasmtime/)

Affected packages (10)

crates.io/wasmtime>= 0.26.0, < 0.30.0
crates.io/wasmtimefrom 0, < 0.30.0
crates.io/wasmtimefrom 0, < 0.30.0
crates.io/wasmtime>= 0.0.0-0, < 0.30.0
PyPI/wasmtimefrom 0, < 398a73f0dd862dbe703212ebae8e34036a18c11c | from 0, < 0.30.0
PyPI/wasmtime>= 0.26.0, < 0.30.0
PyPI/wasmtimefrom 0, < b39f087414f27ae40c44449ed5d1154e03449bff | from 0, < 0.30.0
PyPI/wasmtimefrom 0, < 0.30.0
PyPI/wasmtimefrom 0, < 0.30.0
PyPI/wasmtimefrom 0, < 101998733b74624cbd348a2366d05760b40181f3 | from 0, < 0.30.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Description

Affected packages (10)

CVSS scores

References (18)