CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39219 – Wrong type for `Linker`-define functions when used across two `Engine`s
https://notcve.org/view.php?id=CVE-2021-39219
17 Sep 2021 — Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use `unsafe` then it should not be possible to have memory unsafety issues in their embeddings of Wasmtime. An issue was discovered in the safe API of `Linker::func_*` APIs. These APIs were previously not sound when one `Engine` was use... • https://crates.io/crates/wasmtime • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39216 – Use after free passing `externref`s to Wasm in Wasmtime
https://notcve.org/view.php?id=CVE-2021-39216
17 Sep 2021 — Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `externref`s as arguments from host code to a Wasm function, or returning multiple `externref`s to Wasm from a multi-value return function defined in the... • https://crates.io/crates/wasmtime • CWE-416: Use After Free •