CVE-2025-64713
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-12-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | webassembly_micro_runtime | to 2.4.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds array access issue in the WebAssembly Micro Runtime (WAMR) fast interpreter mode during WASM bytecode loading. Specifically, when certain internal arrays (frame_ref_bottom and frame_offset_bottom) reach capacity and a GET_GLOBAL(I32) opcode is processed, frame_ref_bottom is expanded but frame_offset_bottom may not be. If this is immediately followed by an if opcode triggering preserve_local_for_block, the function uses an upper bound that causes out-of-bounds access to frame_offset_bottom, potentially leading to memory corruption or crashes. This issue was fixed in version 2.4.4.
How can this vulnerability impact me? :
The vulnerability can cause out-of-bounds memory access, which may lead to application crashes or denial of service. Since the CVSS score indicates a high impact on availability (A:H) but no impact on confidentiality or integrity, the main risk is disruption of service rather than data compromise.
What immediate steps should I take to mitigate this vulnerability?
Upgrade WebAssembly Micro Runtime (WAMR) to version 2.4.4 or later, as this version contains the patch that fixes the out-of-bounds array access issue in the fast interpreter mode.