Executive Summary

CVE-2025-15572 is a memory leak vulnerability in the wasm3 WebAssembly interpreter, specifically in the function NewCodePage. When the interpreter encounters a runtime error related to an incorrect value count on the stack, it aborts execution but fails to free a large allocated memory block of approximately 263 MB. This memory block is allocated for tasks such as JIT compilation or code generation. The leak occurs because the error handling path exits without releasing this memory, leading to resource exhaustion.

This vulnerability is reproducible in production (RELEASE) builds on Linux x86_64 systems compiled with Clang and has been confirmed using AddressSanitizer. It affects wasm3 versions up to 0.5.0 and is critical in environments like embedded systems or long-running services where memory resources are limited.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to significant resource exhaustion due to a large memory leak of about 263 MB each time the error is triggered. This can cause out-of-memory (OOM) crashes and denial of service (DoS) conditions, making the affected system or service unavailable.

Systems that run wasm3, especially embedded devices, IoT devices, or long-running services, are at risk because repeated triggering of this error can rapidly consume available memory, leading to instability or crashes.

Exploitation requires local access, but crafted WebAssembly modules can trigger the error and memory leak, making it possible for an attacker with local privileges to disrupt service availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability in wasm3 (CVE-2025-15572) manifests as a significant memory leak of approximately 263 MB triggered by a runtime error "incorrect value count on stack" in the NewCodePage function. Detection involves monitoring for abnormal memory usage or out-of-memory (OOM) conditions in systems running wasm3, especially after encountering this specific runtime error.'}, {'type': 'paragraph', 'content': 'Detection can be aided by using tools like AddressSanitizer (ASAN) on Linux x86_64 systems compiled with Clang in Release mode, which can confirm the memory leak by tracing allocations in NewCodePage.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, general approaches include:'}, {'type': 'list_item', 'content': 'Monitoring process memory usage with commands like `top`, `htop`, or `ps` to detect unusual memory growth in wasm3 processes.'}, {'type': 'list_item', 'content': 'Using AddressSanitizer during testing to detect memory leaks when running wasm3 binaries compiled with Clang.'}, {'type': 'list_item', 'content': 'Checking system logs or wasm3 output for the runtime error message "incorrect value count on stack" which triggers the leak.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation options are limited because the wasm3 project currently has no active maintainer and no known fixes or patches are available.'}, {'type': 'paragraph', 'content': 'Users are advised to consider the following steps:'}, {'type': 'list_item', 'content': 'Avoid running untrusted or crafted WebAssembly modules that could trigger the "incorrect value count on stack" error and cause the memory leak.'}, {'type': 'list_item', 'content': 'Monitor wasm3 processes for abnormal memory consumption and restart them if memory usage grows excessively to prevent system crashes.'}, {'type': 'list_item', 'content': 'Consider using alternative WebAssembly runtimes or products that do not have this vulnerability.'}, {'type': 'list_item', 'content': 'If possible, run wasm3 in isolated or controlled environments to limit the impact of potential denial of service.'}] [5, 1, 2]

Useful 0 Not Useful 0