ghsa-hc7m-r6v8-hg9q
Vulnerability from github
Published
2025-11-12 21:36
Modified
2025-11-13 22:02
Severity ?
1.8 (Low) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Summary
Wasmtime provides unsound API access to a WebAssembly shared linear memory
Details

Impact

Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.

Wasmtime has a wasmtime::Memory type which represents linear memories in a WebAssembly module. Wasmtime also has wasmtime::SharedMemory, however, which represents shared linear memories introduced in the WebAssembly threads proposal. The API of SharedMemory does not provide accessors which return &[u8] in Rust, for example, as that's not a sound type signature when other threads could be modifying memory. The wasmtime::Memory type, however, does provide this API as it's intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it's not sound to represent a shared linear memory with wasmtime::Memory and it must instead be represented with wasmtime::SharedMemory.

There were two different, erroneous, methods of creating a wasmtime::Memory which represents a shared memory however:

  1. The wasmtime::Memory::new constructor takes a MemoryType which could be shared. This function did not properly reject shared memory types and require usage of SharedMemory::new instead.
  2. Capturing a core dump with WebAssembly would expose all linear memories a wasmtime::Memory. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.

This is a bug in Wasmtime's safe Rust API. It should not be possible to cause unsoundness with Wasmtime's embedding API if unsafe is not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.

Patches

Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via Memory::new and shared memories are now excluded from core dumps.

Workarounds

Embeddings affected by this issue should use SharedMemory::new instead of Memory::new to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. It's recommended to upgrade to a patched version of Wasmtime, however.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "38.0.0"
            },
            {
              "fixed": "38.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "37.0.0"
            },
            {
              "fixed": "37.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.0.0"
            },
            {
              "fixed": "36.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-12T21:36:29Z",
    "nvd_published_at": "2025-11-12T22:15:49Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nWasmtime\u0027s Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.\n\nWasmtime has a `wasmtime::Memory` type which represents linear memories in a WebAssembly module. Wasmtime also has `wasmtime::SharedMemory`, however, which represents shared linear memories introduced in the WebAssembly `threads` proposal. The API of `SharedMemory` does not provide accessors which return `\u0026[u8]` in Rust, for example, as that\u0027s not a sound type signature when other threads could be modifying memory. The `wasmtime::Memory` type, however, does provide this API as it\u0027s intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it\u0027s not sound to represent a shared linear memory with `wasmtime::Memory` and it must instead be represented with `wasmtime::SharedMemory`.\n\nThere were two different, erroneous, methods of creating a `wasmtime::Memory` which represents a shared memory however:\n\n1. The [`wasmtime::Memory::new` constructor](https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new) takes a `MemoryType` which could be `shared`. This function did not properly reject shared memory types and require usage of [`SharedMemory::new`](https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new) instead.\n2. Capturing a core dump with WebAssembly would expose all linear memories a `wasmtime::Memory`. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.\n\nThis is a bug in Wasmtime\u0027s safe Rust API. It should not be possible to cause unsoundness with Wasmtime\u0027s embedding API if `unsafe` is not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.\n\n### Patches\n\nPatch releases have been issued for [all supported versions of Wasmtime](https://docs.wasmtime.dev/stability-release.html), notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. \n\n### Workarounds\n\nEmbeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. It\u0027s recommended to upgrade to a patched version of Wasmtime, however.",
  "id": "GHSA-hc7m-r6v8-hg9q",
  "modified": "2025-11-13T22:02:14Z",
  "published": "2025-11-12T21:36:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64345"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10"
    },
    {
      "type": "WEB",
      "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new"
    },
    {
      "type": "WEB",
      "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new"
    },
    {
      "type": "WEB",
      "url": "https://docs.wasmtime.dev/stability-release.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0118.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Wasmtime provides unsound API access to a WebAssembly shared linear memory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.