CVE-2025-15572
Memory Leak in wasm3 NewCodePage Function via Local Attack
Publication date: 2026-02-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wasm3_project | wasm3 | to 0.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15572 is a memory leak vulnerability in the wasm3 WebAssembly interpreter, specifically in the function NewCodePage. When the interpreter encounters a runtime error related to an incorrect value count on the stack, it aborts execution but fails to free a large allocated memory block of approximately 263 MB. This memory block is allocated for tasks such as JIT compilation or code generation. The leak occurs because the error handling path exits without releasing this memory, leading to resource exhaustion.
This vulnerability is reproducible in production (RELEASE) builds on Linux x86_64 systems compiled with Clang and has been confirmed using AddressSanitizer. It affects wasm3 versions up to 0.5.0 and is critical in environments like embedded systems or long-running services where memory resources are limited.
How can this vulnerability impact me? :
The vulnerability can lead to significant resource exhaustion due to a large memory leak of about 263 MB each time the error is triggered. This can cause out-of-memory (OOM) crashes and denial of service (DoS) conditions, making the affected system or service unavailable.
Systems that run wasm3, especially embedded devices, IoT devices, or long-running services, are at risk because repeated triggering of this error can rapidly consume available memory, leading to instability or crashes.
Exploitation requires local access, but crafted WebAssembly modules can trigger the error and memory leak, making it possible for an attacker with local privileges to disrupt service availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability in wasm3 (CVE-2025-15572) manifests as a significant memory leak of approximately 263 MB triggered by a runtime error "incorrect value count on stack" in the NewCodePage function. Detection involves monitoring for abnormal memory usage or out-of-memory (OOM) conditions in systems running wasm3, especially after encountering this specific runtime error.'}, {'type': 'paragraph', 'content': 'Detection can be aided by using tools like AddressSanitizer (ASAN) on Linux x86_64 systems compiled with Clang in Release mode, which can confirm the memory leak by tracing allocations in NewCodePage.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, general approaches include:'}, {'type': 'list_item', 'content': 'Monitoring process memory usage with commands like `top`, `htop`, or `ps` to detect unusual memory growth in wasm3 processes.'}, {'type': 'list_item', 'content': 'Using AddressSanitizer during testing to detect memory leaks when running wasm3 binaries compiled with Clang.'}, {'type': 'list_item', 'content': 'Checking system logs or wasm3 output for the runtime error message "incorrect value count on stack" which triggers the leak.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation options are limited because the wasm3 project currently has no active maintainer and no known fixes or patches are available.'}, {'type': 'paragraph', 'content': 'Users are advised to consider the following steps:'}, {'type': 'list_item', 'content': 'Avoid running untrusted or crafted WebAssembly modules that could trigger the "incorrect value count on stack" error and cause the memory leak.'}, {'type': 'list_item', 'content': 'Monitor wasm3 processes for abnormal memory consumption and restart them if memory usage grows excessively to prevent system crashes.'}, {'type': 'list_item', 'content': 'Consider using alternative WebAssembly runtimes or products that do not have this vulnerability.'}, {'type': 'list_item', 'content': 'If possible, run wasm3 in isolated or controlled environments to limit the impact of potential denial of service.'}] [5, 1, 2]