PYSEC-2026-151

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/wasmtime/PYSEC-2026-151.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-151
Aliases
Published
2026-04-09T19:16:24.850Z
Modified
2026-05-21T15:00:24.330171463Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following steps must occur to trigger the bug clone a wasmtime::Linker, drop the original linker instance, use the new, cloned linker instance, resulting in a use-after-free. This vulnerability is fixed in 43.0.1.

References

Affected packages

PyPI / wasmtime

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
43.0.0

Affected versions

0.*
0.0.1
0.0.2
0.9.0
0.11.0
0.12.0
0.15.0
0.15.1
0.16.0
0.16.1
0.17.0
0.18.0
0.18.1
0.18.2
0.19.0
0.20.0
0.21.0
0.22.0
0.23.0
0.24.0
0.25.0
0.26.0
0.27.0
0.28.0
0.28.1
0.29.0
0.30.0
0.31.0
0.32.0
0.33.0
0.34.0
0.35.0
0.36.0
0.37.0
0.38.0
0.39.1
0.40.0
1.*
1.0.0
1.0.1
2.*
2.0.0
3.*
3.0.0
4.*
4.0.0
5.*
5.0.0
6.*
6.0.0
7.*
7.0.0
8.*
8.0.0
8.0.1
9.*
9.0.0
10.*
10.0.0
10.0.1
11.*
11.0.0
12.*
12.0.0
13.*
13.0.0
13.0.1
13.0.2
14.*
14.0.0
15.*
15.0.0
16.*
16.0.0
17.*
17.0.0
17.0.1
18.*
18.0.0
18.0.2
19.*
19.0.0
20.*
20.0.0
21.*
21.0.0
22.*
22.0.0
23.*
23.0.0
24.*
24.0.0
25.*
25.0.0
27.*
27.0.0
27.0.1
27.0.2
28.*
28.0.0
29.*
29.0.0
30.*
30.0.0
31.*
31.0.0
32.*
32.0.0
33.*
33.0.0
34.*
34.0.0
35.*
35.0.0
36.*
36.0.0
37.*
37.0.0
38.*
38.0.0
39.*
39.0.0
40.*
40.0.0
41.*
41.0.0
42.*
42.0.0
43.*
43.0.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/wasmtime/PYSEC-2026-151.yaml"