Use-after-free in Wasmtime - CVE-2021-39216
Published: September 17, 2021 / Updated: April 23, 2026
Vulnerability identifier: #VU127033
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-39216
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Wasmtime
Wasmtime
Software vendor:
Bytecode Alliance
Bytecode Alliance
Description
The vulnerability allows a remote user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to use-after-free in externref handling when passing multiple externrefs from host code to guest Wasm content at the same time. A remote user can pass multiple externrefs as arguments or return multiple externrefs from a host-defined multi-value function to cause a denial of service or potentially execute arbitrary code.
The issue can be triggered if the VMExternRefActivationsTable becomes full after the first externref is passed, causing garbage collection before control is transferred to Wasm.
Remediation
Install security update from vendor's website.