CVE-2021-39219: 
Python vulnerability analysis and mitigation

Wasmtime, an open source runtime for WebAssembly & WASI, was affected by a type confusion vulnerability in versions before 0.30.0 (CVE-2021-39219). The vulnerability was discovered and disclosed in September 2021, impacting the safe API of Linker::func_* APIs (GitHub Advisory).

The vulnerability occurred when one Engine was used to create the Linker and then a different Engine was used to create a Store, followed by using the Linker to instantiate a module into that Store. This cross-Engine usage of functions, which is not supported in Wasmtime, could result in type confusion of function pointers, allowing functions to be safely called with the wrong type (GitHub Advisory). The vulnerability was rated as Moderate with a CVSS v3.1 score of 6.3 (NVD).

The vulnerability could lead to type confusion issues when using multiple Engine instances, potentially resulting in memory safety violations. However, the impact was considered relatively small since using more than one Engine in an embedding is relatively rare, as an Engine is intended to be a globally shared resource (GitHub Advisory).

The vulnerability was patched in Wasmtime version 0.30.0. For users unable to upgrade, it is recommended to use only one Engine for the entire program if possible, as an Engine is designed to be a globally shared resource. If multiple Engines are required, code should be audited to ensure that Linker is only used with one Engine (GitHub Advisory, Fedora Update).