Wasmtime Component Model Async Feature Dropping Futures Vulnerability Leading to Panic

A vulnerability in Wasmtime's component model async feature can cause a panic if a host embedding drops a future returned by `TypedFunc::call_async` before it resolves. This issue is present in Wasmtime versions 39.0.0 prior to 40.0.4 and 41.0.0 prior to 41.0.4. The vulnerability occurs when a component function yields control to the async runtime, and the host embedding drops the future after polling it once, leaving the component instance in a non-reenterable state. Subsequent calls to `call_async` on the same instance trap, causing a panic when the runtime tries to dispose of the associated task.

Impact

Exploitation of this vulnerability causes Wasmtime to panic, disrupting the host embedding's execution.

Reproduction

The vulnerability can be reproduced by calling `TypedFunc::call_async` on a guest export function, polling the returned future once, and then dropping the future before it has a chance to resolve. After dropping the future, `call_async` can be called again on the same component instance, which will result in a panic.

Remediation

Users can upgrade to Wasmtime versions 40.0.4 or 41.0.4, both of which include the necessary patch. Additionally, if the component-model-async feature is not being used, it can be disabled to avoid the issue.