WebAssembly Memory Interaction Issue in Wasmtime by Bytecode Alliance
CVE-2025-64345

1.8LOW

Key Information:

Vendor

Bytecodealliance

Status
Wasmtime
Vendor
CVE Published:
12 November 2025

What is CVE-2025-64345?

Wasmtime, a WebAssembly runtime, is vulnerable due to an unsound interaction in its Rust embedder API prior to specified versions. This flaw allows shared linear memory to be misinterpreted, potentially leading to unsafe parallel modifications and data races. Versions 24.0.5, 36.0.3, 37.0.3, and 38.0.4 have been patched to prevent the creation of shared memories via Memory::new, mandating the use of SharedMemory::new instead. For those unable to upgrade, disabling core dumps is recommended as a temporary workaround.

Affected Version(s)

wasmtime >= 38.0.1, < 38.0.4 < 38.0.1, 38.0.4

wasmtime >= 37.0.0, < 37.0.3 < 37.0.0, 37.0.3

wasmtime >= 26.0.0, < 36.0.3 < 26.0.0, 36.0.3

References

https://github.com/bytecodealliance/wasmtime/security/adv...
x_refsource_CONFIRM
https://github.com/bytecodealliance/wasmtime/commit/9ebb6...
x_refsource_MISC
https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.ht...
x_refsource_MISC

CVSS V3.1

Score:
1.8
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.