Dangling Reference Memory-Safety Flaw in Ladybird WebAssembly Module Loader
CVE-2026-58592
Key Information:
- Vendor
Ladybirdbrowser
- Status
- Vendor
- CVE Published:
- 1 July 2026
Badges
What is CVE-2026-58592?
The Ladybird browser contains a memory-safety vulnerability characterized by a dangling reference in its WebAssembly ESM integration module loader. When JavaScript functions are imported into WebAssembly modules, improper handling results in a callback retaining a reference to a destroyed FunctionType. This can lead to a scenario where an attacker influences the value retained by a destination register, ultimately allowing arbitrary code execution through a crafted web page. The exploit is reachable directly from HTML content without any modifications or additional instrumentation, making it a significant security concern.
Affected Version(s)
Ladybird 0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
