Wasmtime Memory Leak Vulnerability in C/C++ API for WebAssembly Reference Types

A memory leak vulnerability has been identified in Wasmtime versions 37.0.0 and 37.0.1. This issue arises in the C/C++ API when using bindings for 'anyref' or 'externref' WebAssembly values. The vulnerability was introduced in version 37.0.0 and does not affect earlier versions. The leak occurs because the C API was not properly updated to reflect new ownership semantics, leaving 'anyref' and 'externref' types prone to memory leaks. The 'wasmtime' Rust crate is not affected by this issue.

Impact

The vulnerability leads to a permanent memory leak on the host when 'anyref' or 'externref' types are used in the C/C++ API.

Reproduction

The vulnerability can be reproduced by using Wasmtime versions 37.0.0 or 37.0.1 and creating WebAssembly 'anyref' or 'externref' values through the C/C++ API. The memory leak can be observed by monitoring memory usage, which will show an increase that is not released, indicating a leak. This can be done using a tool like Valgrind, which can detect memory leaks in C and C++ programs.

Remediation

Users can upgrade to Wasmtime version 37.0.2, which fixes the memory leak issue. Instructions for downloading this version are available on the Wasmtime GitHub releases page.