Wasmtime GitHub notifications bot (Mar 31 2026 at 12:54): Wasmtime GitHub notifications bot (Mar 31 2026 at 12:54):flavio opened PR #12906 from flavio:fix-stringpool-clone to bytecodealliance:main:
This is a fix for https://github.com/bytecodealliance/wasmtime/issues/12905
The 43.0 release introduced a soundness bug in
StringPool::try_clone(): the cloned map retains&'static strkeys pointing into the original pool's strings storage. Once the originalLinkeris dropped those keys dangle.Cloning a
Linker, then dropping the original one, leaves a linker whose registered imports could no longer be found, causing instantiation to fail withunknown import.
Wasmtime GitHub notifications bot (Mar 31 2026 at 12:54):flavio requested fitzgen for a review on PR #12906.
Wasmtime GitHub notifications bot (Mar 31 2026 at 12:54):flavio requested wasmtime-core-reviewers for a review on PR #12906.
Wasmtime GitHub notifications bot (Apr 09 2026 at 18:45):alexcrichton updated PR #12906.
Wasmtime GitHub notifications bot (Apr 09 2026 at 18:46):alexcrichton submitted PR review:
Thanks for your patience here! As unsoundness in Wasmtime this is subject to a security advisory which is why we've been a bit silent on this. This is published now as https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2 and the fix here is backported to other branches already.
Thanks again for this!
Wasmtime GitHub notifications bot (Apr 09 2026 at 18:46):alexcrichton has enabled auto merge for PR #12906.
Wasmtime GitHub notifications bot (Apr 09 2026 at 18:59):alexcrichton added PR #12906 fix(environ): repair unsound StringPool::try_clone() to the merge queue
Wasmtime GitHub notifications bot (Apr 09 2026 at 19:24):alexcrichton merged PR #12906.
Wasmtime GitHub notifications bot (Apr 09 2026 at 19:24):alexcrichton removed PR #12906 fix(environ): repair unsound StringPool::try_clone() from the merge queue
Last updated: Apr 12 2026 at 23:10 UTC