CVE-2025-64345
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-12
Generated
2026-05-07
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64345
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wasmtime wasmtime *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Wasmtime's Rust embedder API involves an unsound interaction where a WebAssembly shared linear memory could be accessed as a type that provides safe access to the host (Rust) memory contents. However, because shared linear memories can be modified in parallel, this leads to a potential data race in the host environment. The issue arises from using Memory::new to create shared memories, which is unsafe. The vulnerability has been addressed by rejecting creation of shared memories via Memory::new and excluding shared memories from core dumps. The recommended workaround is to use SharedMemory::new instead of Memory::new for creating shared memories and to disable core dumps if upgrading is not possible.


How can this vulnerability impact me? :

This vulnerability can lead to data races in the host environment when using Wasmtime's Rust embedder API with shared linear memories. Data races can cause unpredictable behavior, potential crashes, or corruption of data in applications embedding Wasmtime. This could affect the stability and reliability of software relying on Wasmtime for WebAssembly execution, especially if shared memories are created unsafely.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Wasmtime to one of the patched versions: 24.0.5, 36.0.3, 37.0.3, or 38.0.4. If upgrading is not possible, use SharedMemory::new instead of Memory::new to create shared memories in your embedding. Additionally, disable core dumps as a workaround if you cannot upgrade, since shared memories are excluded from core dumps in the patched versions and core dumps are disabled by default.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart