CVE-2026-58592
Received Received - Intake

Memory Corruption in Ladybird WebAssembly ESM Integration

Vulnerability report for CVE-2026-58592, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ladybird browser to 2026-58592 (inc)
ladybird ladybird *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58592 is a high-severity vulnerability in the Ladybird browser's WebAssembly ESM integration module loader. It involves a dangling-reference memory-safety flaw where a JavaScript function imported into a WebAssembly module via the ESM path causes a stack-local Wasm::FunctionType reference to be captured by a host callback. This reference becomes invalid after the ESM link-loop iteration ends, leaving a stale reference.

This stale reference leads the host callback to return an empty result vector for a statically non-empty result, causing the destination register to retain an attacker-controlled value. The WASM-GC array.set handler then bit-casts this value to an ArrayInstance pointer after only a null check, enabling an arbitrary write.

An attacker can exploit this flaw to chain the arbitrary write into remote code execution within the WebContent process, achievable from HTML content without any instrumentation or source modification.

Impact Analysis

This vulnerability allows an attacker to achieve remote code execution (RCE) within the Ladybird browser's WebContent process. By exploiting the dangling reference and arbitrary write, an attacker can execute arbitrary native code.

Since the exploit is reachable from HTML content without requiring any additional instrumentation or source modification, it can be triggered by simply visiting a malicious web page.

The impact includes potential full compromise of the browser process, leading to unauthorized actions such as data theft, manipulation of browser behavior, or further exploitation of the underlying system.

Detection Guidance

Detection of CVE-2026-58592 involves identifying exploitation attempts targeting the Ladybird browser's WebAssembly ESM host function implementation. Since the vulnerability is triggered by importing JavaScript functions into WebAssembly modules via the ESM path and involves specific WebAssembly behaviors, detection would focus on monitoring WebAssembly module loading and execution patterns.

There are no explicit commands provided in the resources for detecting this vulnerability on a network or system.

Mitigation Strategies

Immediate mitigation steps include updating the Ladybird browser to a version where the vulnerability is fixed. The fix involves ensuring that the host function callback owns a stable copy of the FunctionType instead of a reference to stack-local storage, and validating host result arity against the static function type before returning to bytecode execution.

Additionally, avoiding loading untrusted WebAssembly modules that import JavaScript functions via the ESM path can reduce exposure until patches are applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart