CVE
CVE-2025-66627
Critical Use-After-Free in Wasmi's Linear Memory
Summary
A use-after-free vulnerability has been discovered in the linear memory implementation of Wasmi. This issue can be triggered by a WebAssembly module under certain memory growth conditions, potentially leading to memory corruption, information disclosure, or code execution.
Impact
- Confidentiality: High – attacker-controlled memory reads possible.
- Integrity: High – memory corruption may allow arbitrary writes.
- Availability: High – interpreter crashes possible.
Affected Versions
Wasmi v0.41.0 through Wasmi v1.0.0.
Workarounds
- Upgrade to the latest patched version of Wasmi.
- Consider limiting the maximum linear memory sizes where feasible.
Credits
This vulnerability was discovered by Robert T. Morris (RTM).
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.4
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
8.4
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Related Resources
No items found.
References
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq, https://nvd.nist.gov/vuln/detail/CVE-2025-66627, https://github.com/wasmi-labs/wasmi/commit/0e6f0d2a8325602c58d6a53ce1c0e6045eb6a490, https://github.com/wasmi-labs/wasmi
Basic Information
Ecosystem
