CVE-2021-39216: 
Python vulnerability analysis and mitigation

Wasmtime, an open source runtime for WebAssembly & WASI, contained a use-after-free vulnerability (CVE-2021-39216) affecting versions from 0.19.0 to 0.30.0. The vulnerability was discovered and disclosed in September 2021 (GitHub Advisory).

The vulnerability occurs when passing multiple externrefs from the host to guest Wasm content simultaneously. This can happen in two scenarios: either by passing multiple externrefs as arguments from host code to a Wasm function, or returning multiple externrefs to Wasm from a multi-value return function defined in the host. The issue arises when Wasmtime's VMExternRefActivationsTable becomes filled to capacity after passing the first externref, triggering a garbage collection. Since the first externref is not rooted until control passes to Wasm, it could be reclaimed by the collector if nothing else maintains a reference to it. When control subsequently passes to Wasm, it may attempt to use the first externref, which has been freed (GitHub Advisory).

The vulnerability could lead to use-after-free conditions when specific externref operations are performed. However, the actual impact was considered relatively limited due to the rare usage of externref functionality at the time (GitHub Advisory).

The vulnerability was patched in Wasmtime version 0.30.0. For users unable to upgrade immediately, a workaround is available by disabling reference types support in Wasmtime by passing false to wasmtime::Config::wasm_reference_types. Additionally, the project updated their externref fuzz target to better test these code paths for future security assurance (GitHub Advisory).