CVE-2025-64345

LOW EPSS 0.8%
Published Nov 12, 20257mo ago · Modified Jun 17, 20261w ago
1.8 CVSS 3.1
Low
Find Similar
Published Nov 12, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago

Description

Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.

CVSS Details

Base Score
1.8
Exploitability
0.3
Impact
1.4
Vector string
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Attack Vector Local
Attack Complexity High
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
0.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-362

References 6

  • docs.rs https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new
  • docs.rs https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new
  • docs.wasmtime.dev https://docs.wasmtime.dev/stability-release.html
  • github.com https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10
  • github.com https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4
  • github.com https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.