<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-15T20:43:44.970880+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/b330f885-a428-45c5-81c6-91f32095e948/export</id>
    <title>b330f885-a428-45c5-81c6-91f32095e948</title>
    <updated>2026-07-15T20:43:44.999581+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://vulnerability.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "b330f885-a428-45c5-81c6-91f32095e948", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-61670", "type": "seen", "source": "https://gist.github.com/alon710/553eb2089447345d30a93b1881dc2ee5", "content": "# CVE-2025-61670: CVE-2025-61670: Memory Leak in Wasmtime C/C++ API WebAssembly GC Reference Handling\n\n&amp;gt; **CVSS Score:** 3.3\n&amp;gt; **Published:** 2026-07-14\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2025-61670\n\n## Summary\nA technical analysis of CVE-2025-61670, a memory leak vulnerability in Wasmtime's C and C++ API bindings. The issue stems from a refactoring in version 37.0.0 that transitioned garbage-collected reference tracking to host heap-allocated OwnedRooted types without updating FFI ownership semantics.\n\n## TL;DR\nA memory leak in Wasmtime v37.0.0-37.0.1 C/C++ bindings allows local guest modules to exhaust host memory and cause a denial of service.\n\n## Technical Details\n\n- **CWE ID**: CWE-772\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1**: 3.3 (Low)\n- **EPSS Score**: 0.00178 (0.18% probability)\n- **Impact**: Availability (Memory Exhaustion / DoS)\n- **Exploit Status**: No public PoC\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Wasmtime C and C++ API bindings\n- Downstream bindings utilizing C APIs (e.g. wasmtime-py)\n- **Wasmtime**: &amp;gt;= 37.0.0, &amp;lt;= 37.0.1 (Fixed in: `37.0.2`)\n\n## Mitigation\n\n- Upgrade Wasmtime to version 37.0.2 or higher.\n- Avoid using GC-managed values (anyref, externref) over C/C++ boundaries, substituting primitive index handles instead.\n\n**Remediation Steps:**\n1. Update build dependencies (e.g., Cargo, CMake) to pull Wasmtime v37.0.2 or later.\n2. Recompile the C/C++ host application using the updated headers to inherit the corrected RAII destructors.\n3. Run runtime tests using AddressSanitizer or Valgrind to verify that GC reference lifecycles are correctly reclaimed upon scope exit.\n\n## References\n\n- [Bytecode Alliance Security Advisory GHSA-vvp9-h8p2-xwfc](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vvp9-h8p2-xwfc)\n- [Wasmtime Fix Commit adff9d9d0f09569203709d5687e5a7dc8e1ad0a3](https://github.com/bytecodealliance/wasmtime/commit/adff9d9d0f09569203709d5687e5a7dc8e1ad0a3)\n- [Wasmtime Release v37.0.2](https://github.com/bytecodealliance/wasmtime/releases/tag/v37.0.2)\n- [NVD CVE-2025-61670](https://nvd.nist.gov/vuln/detail/CVE-2025-61670)\n- [CVE.org CVE-2025-61670](https://www.cve.org/CVERecord?id=CVE-2025-61670)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2025-61670) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-14T19:42:05.146724Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/b330f885-a428-45c5-81c6-91f32095e948/export"/>
    <published>2026-07-14T19:42:05.146724+00:00</published>
  </entry>
</feed>
