Dangling Reference Memory-Safety Flaw in Ladybird WebAssembly Module Loader
CVE-2026-58592

8.9HIGH

Key Information:

Status
Vendor
CVE Published:
1 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-58592?

The Ladybird browser contains a memory-safety vulnerability characterized by a dangling reference in its WebAssembly ESM integration module loader. When JavaScript functions are imported into WebAssembly modules, improper handling results in a callback retaining a reference to a destroyed FunctionType. This can lead to a scenario where an attacker influences the value retained by a destination register, ultimately allowing arbitrary code execution through a crafted web page. The exploit is reachable directly from HTML content without any modifications or additional instrumentation, making it a significant security concern.

Affected Version(s)

Ladybird 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.