chore(deps): update rust crate wasmtime to v36 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
wasmtime	dev-dependencies	major	=33.0.2 → =36.0.3

GitHub Vulnerability Alerts

CVE-2025-64345

Impact

Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.

Wasmtime has a wasmtime::Memory type which represents linear memories in a WebAssembly module. Wasmtime also has wasmtime::SharedMemory, however, which represents shared linear memories introduced in the WebAssembly threads proposal. The API of SharedMemory does not provide accessors which return &[u8] in Rust, for example, as that's not a sound type signature when other threads could be modifying memory. The wasmtime::Memory type, however, does provide this API as it's intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it's not sound to represent a shared linear memory with wasmtime::Memory and it must instead be represented with wasmtime::SharedMemory.

There were two different, erroneous, methods of creating a wasmtime::Memory which represents a shared memory however:

1. The wasmtime::Memory::new constructor takes a MemoryType which could be shared. This function did not properly reject shared memory types and require usage of SharedMemory::new instead.
2. Capturing a core dump with WebAssembly would expose all linear memories a wasmtime::Memory. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.

This is a bug in Wasmtime's safe Rust API. It should not be possible to cause unsoundness with Wasmtime's embedding API if unsafe is not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.

Patches

Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via Memory::new and shared memories are now excluded from core dumps.

Workarounds

Embeddings affected by this issue should use SharedMemory::new instead of Memory::new to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. It's recommended to upgrade to a patched version of Wasmtime, however.

---

Release Notes

bytecodealliance/wasmtime (wasmtime)

v36.0.3

Compare Source

36.0.3

Released 2025-11-11.

Fixed

• Prevent using shared memories with Memory.
  CVE-2025-64345

v36.0.2

Compare Source

36.0.2

Released 2025-08-26.

Fixed

• Wasmtime will no longer panic in the pooling allocator when in near-OOM
  conditions related to resetting the linear memory of a slot.
  #​11510

v36.0.1

Compare Source

36.0.1

Released 2025-08-21.

Added

• Accessors for internal WASI-related contexts are added to
  wasmtime_wasi::WasiCtx to account for refactorings that happened in this
  release.
  #​11473

Changed

• Release artifacts for the C API are now smaller than the previous release to
  assist with redistribution as-is.
  #​11483

v36.0.0

Compare Source

36.0.0

Released 2025-08-20.

Added

• Cranelift's has initial support for inlining between functions. Wasmtime
  additionally now has support for inlining as well, for example between modules
  in a component.
  #​11210
  #​11239
  #​11228
  #​11269
  #​11283

• The async proposal for the Component Model is now fully implemented in
  Wasmtime with a number of WASIp3 interfaces implemented. The implementation
  is still off-by-default and the implementation of WASIp3 is not fully
  complete, but is remains suitable for testing.
  #​11127
  #​11136
  #​11137
  #​11238
  #​11221
  #​11250
  #​11257
  #​11291
  #​11325

Changed

• Users who implemented WasiHttpView::is_forbidden_header from
  wasmtime-wasi-http now need to include DEFAULT_FORBIDDEN_HEADERS, e.g.
  DEFAULT_FORBIDDEN_HEADERS.contains(name) || name.as_str() == "custom-forbidden-header"
  #​11292

• Cranelift's incremental cache has received some optimizations.
  #​11186

• Wasmtime's internal implementations of WebAssembly primitives has been
  refactored to be modeled with safer internal primitives.
  #​11211
  #​11212
  #​11216
  #​11229
  #​11215
  #​11254
  #​11255
  #​11319
  #​11320

• Detection of native hardware features has been refactored on s390x.
  #​11220

• Further progress has been made towards an implementation of the WebAssembly
  exceptions proposal, although it is not yet complete.
  #​11230
  #​11321

• Cranelift's assembler for x64 now supports EVEX encoding.
  #​11153
  #​11270
  #​11303

• The default implementation of send_request in the wasmtime-wasi-http crate
  is now behind an on-by-default feature gate.
  #​11323

• Configuration of the bindgen! macro has been redesigned to more consistently
  configure per-function options such as whether or not it's async.
  #​11328

• Initial support fo mutatis has been added to Wasmtime's fuzzers.
  #​11290

• The debug-builtins crate feature of wasmtime no compiles on no_std
  targets.
  #​11304

Fixed

• Deserializing external modules no long unnecessarily requires the allocation
  to be aligned.
  #​11306

• A CMake linker error and warning when using the C API on macOS has been fixed.
  #​11293
  #​11315

• The C API declaration of wasmtime_component_linker_instance_add_func has
  been fixed.
  #​11327

• The calculation of reachable DWARF has been fixed.
  #​11338

v35.0.0

Compare Source

35.0.0

Released 2025-07-22.

Added

• A new InputFile type has been added for specifying stdin as a file in WASI.
  #​10968

• Conditional branches to unconditional traps are now translated to conditional
  traps during legalization.
  #​10988

• The TE HTTP header can now be specified by guests.
  #​11002

• Winch on AArch64 should now pass all WebAssembly MVP tests. Note that it is
  still not yet Tier 1 at this time, however.
  #​10829
  #​11013
  #​11031
  #​11051

• The x64 backend now has lowering rules for {add,sub,or,and} mem, imm
  #​11043

• Initial support for WASIp2 in the C API has started to land.
  #​11055
  #​11172

• Initial support for GC support in the component model has started to land
  (note that it is not finished yet).
  #​10967
  #​11020

• The wasmtime-wasi-nn crate now has a feature to use a custom ONNX runtime.
  #​11060

• Cranelift now optimizes division-by-constant operations to no longer use
  division.
  #​11129

• A native-tls backend has been added for the wasi-tls implementation.
  #​11064

Changed

• Many more instructions for the x64 backend in Cranelift were migrated to the
  new assembler.
  #​10927
  #​10928
  #​10918
  #​10946
  #​10954
  #​10958
  #​10971
  #​10942
  #​10975
  #​11017
  #​10898
  #​10836
  ... (and more)

• Wasmtime internally uses Pin for VM data structures to make the internal
  implementations more sound to use. This has no effect on the public API of
  Wasmtime.
  #​10934
  #​10937
  #​10943
  #​10959
  #​11042

• Fused adapters between components now transfer the enum component model type
  more efficiently.
  #​10939

• Filenames of --emit-clif now match the symbol names found in *.cwasm
  artifacts and include the function name as well.
  #​10947
  #​11040

• Wasmtime-internal crates are now all named wasmtime-internal-* to even
  further discourage their use.
  #​10963

• Codegen of conditional traps with float compares has been improved.
  #​10966

• More patterns are now optimized in ISLE mid-end rules.
  #​10978
  #​10979
  #​11173

• Winch's support for constants/scratch registers has been improved internally.
  #​10986
  #​10998

• The C API artifacts on Windows are now produced with Clang instead of
  cl.exe.
  #​10890

• WebAssembly operand types are now taken into account during translation to
  optimize codegen better in the face of subtyping.
  #​11030

• The behavior of blocking-write-and-flush has been updated during flushing
  when closed is found.
  #​11018

• WASI WITs have been updated to 0.2.6.
  #​11049

• OpenVINO has been updated to v2025.1.
  #​11054

• The size of the wasmtime.addrmap section in *.cwasm artifacts has been
  shrunk slightly.
  #​11126

• Authorities in wasmtime-wasi-http can now contain the : character.
  #​11145

• Wasmtime now requires Rust 1.86 to compile.
  #​11142

• Wasmtime's DRC collector has been optimized and has a new more efficient means
  of managing the set of over-approximated roots on the stack.
  #​11144
  #​11148
  #​11167
  #​11168
  #​11169
  #​11175

• The ComponentType trait in Wasmtime now requires the Send and Sync
  bounds for all implementors.
  #​11160

• The V128 type is now usable on platforms other than aarch64 and x86_64.
  #​11165

• Wasmtime's policy on unsafe code and guidelines has been added.
  #​11177

• The std crate will no longer implicitly be used on cfg(unix) and
  cfg(windows) targets when the std Cargo feature is disabled. This means
  that these platforms now require std to be enabled to use the
  platform-specific implementation of linear memory, for example.
  #​11152

Fixed

• A panic when optimizing icmp with vectors has been fixed.
  #​10948

• A panic when lowering scalar_to_vector with i16x8 types has been fixed.
  #​10949

• The vector state register is now considered clobbered by calls on riscv64 to
  ensure it's updated across calls.
  #​11048

• An instance of gdb crashing on DWARF emitted by Wasmtime has been fixed.
  #​11077

• Fix a panic in the host caused by preview1 guests using fd_renumber.
  CVE-2025-53901.

• Fix a panic in the preview1 adapter caused by guests using fd_renumber.
  #​11277

v34.0.2

Compare Source

34.0.2

Released 2025-07-18.

Fixed

• Fix a panic in the host caused by preview1 guests using fd_renumber.
  CVE-2025-53901.

• Fix a panic in the preview1 adapter caused by guests using fd_renumber.
  #​11277

34.0.1

Released 2025-06-24.

Fixed

• Fix a panic with host-defined tables/globals and concrete reference
  types.
  #​11103

v34.0.1

Compare Source

34.0.1

Released 2025-06-24.

Fixed

• Fix a panic with host-defined tables/globals and concrete reference
  types.
  #​11103

v34.0.0

Compare Source

34.0.0

Released 2025-06-20.

Added

• Support for SIMD in the Pulley interpreter can now be disabled at compile-time
  to shrink the size of the final binary.
  #​10727

• The C API now has wasmtime_trap_new_code to create a wasm_trap_t from
  its code.
  #​10765

• Winch's support for x86_64 is now classified with tier 1 support in Wasmtime.
  #​10755

• Winch's support for aarch64 now implements stack checks to pass many more spec
  tests.
  #​10763

• Cranelift's s390x backend now has full support for the f128 type.
  #​10774

• Wasmtime's C API for the component model has initial support for calling
  functions.
  #​10697
  #​10841
  #​10858
  #​10864
  #​10877

• The wasmtime wast command now has a --generate-dwarf flag to show
  filename/line number information for backtraces.
  #​10780

Changed

• The shape of bindgen!-generated add_to_linker functions has changed with
  the removal of GetHost and replacement of a HasData trait. For more
  information see the associated PR.
  #​10770

• Wasmtime's Store<T> now requires that T: 'static. This is done in
  preparation for merging WASIp3 work to the main repository with some more
  information on the associated PR.
  #​10760

• The wasmtime::component::Instance::instance_pre method is now public.
  #​10761

• Wasmtime and Cranelift's minimnum supported version of Rust (MSRV) is now
  1.85.0.
  #​10785

• Cranelift's debugtrap on aarch64 now generates brk #​0xf000 for debuggers
  to recognize it.
  #​10813

• The wasi-http implementation no longer generates a trap if the handle to
  receive the response on the host is dropped early.
  #​10833

• The wasmtime serve command will now send some boilerplate descriptive HTML
  on a 500 server error instead of nothing.
  #​10851

• A significant amount of work has gone into the new assembler for the x64
  backend. Too many PRs to list here but progress continues apace at defining
  all machine instructions in a standalone crate.

• Cranelift will now reject unimplemented big-endian loads/stores on backends
  that do not implement this functionality.
  #​10863

• The wasmtime explore generated HTML handles large modules better now.
  #​10892

• Wasmtime's internal representation of wasmtime::Func has changed and a
  previous optimization of Func::call has been lost. If affected it'd
  recommended to use Func::call_unchecked instead or to open an issue.
  #​10897

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path crates/code-generator/Cargo.toml --package wasmtime@33.0.2 --precise 36.0.3
    Updating crates.io index
error: failed to select a version for the requirement `wasmtime = "^33.0.1"`
candidate versions found which didn't match: 36.0.3
location searched: crates.io index
required by package `wasmtime-wasi v33.0.1`
    ... which satisfies dependency `wasmtime-wasi = "=33.0.1"` of package `code-generator v0.1.0 (/tmp/renovate/repos/github/ricora/ao/crates/code-generator)`