CVE-2025-64345 (GCVE-0-2025-64345)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:25 – Updated: 2025-11-12 21:40
VLAI?
Summary
Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.
Severity ?
1.8 (Low)
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
CWE
  • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Impacted products
Vendor Product Version
bytecodealliance wasmtime Affected: >= 38.0.1, < 38.0.4
Affected: >= 37.0.0, < 37.0.3
Affected: >= 26.0.0, < 36.0.3
Affected: < 24.0.5
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64345",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-12T21:40:25.293462Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-12T21:40:37.909Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 38.0.1, \u003c 38.0.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 37.0.0, \u003c 37.0.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 26.0.0, \u003c 36.0.3"
            },
            {
              "status": "affected",
              "version": "\u003c 24.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime\u0027s Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 1.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-12T21:25:50.832Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10"
        },
        {
          "name": "https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new"
        },
        {
          "name": "https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new"
        },
        {
          "name": "https://docs.wasmtime.dev/stability-release.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.wasmtime.dev/stability-release.html"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4"
        }
      ],
      "source": {
        "advisory": "GHSA-hc7m-r6v8-hg9q",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime provides unsound API access to a WebAssembly shared linear memory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64345",
    "datePublished": "2025-11-12T21:25:50.832Z",
    "dateReserved": "2025-10-30T17:40:52.031Z",
    "dateUpdated": "2025-11-12T21:40:37.909Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-64345\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-12T22:15:49.623\",\"lastModified\":\"2025-11-14T16:42:30.503\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime\u0027s Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":1.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.3,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"references\":[{\"url\":\"https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://docs.wasmtime.dev/stability-release.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64345\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-12T21:40:25.293462Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-12T21:40:34.331Z\"}}], \"cna\": {\"title\": \"Wasmtime provides unsound API access to a WebAssembly shared linear memory\", \"source\": {\"advisory\": \"GHSA-hc7m-r6v8-hg9q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 1.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bytecodealliance\", \"product\": \"wasmtime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 38.0.1, \u003c 38.0.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 37.0.0, \u003c 37.0.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 26.0.0, \u003c 36.0.3\"}, {\"status\": \"affected\", \"version\": \"\u003c 24.0.5\"}]}], \"references\": [{\"url\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q\", \"name\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10\", \"name\": \"https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new\", \"name\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new\", \"name\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.wasmtime.dev/stability-release.html\", \"name\": \"https://docs.wasmtime.dev/stability-release.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4\", \"name\": \"https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime\u0027s Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-12T21:25:50.832Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-64345\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-12T21:40:37.909Z\", \"dateReserved\": \"2025-10-30T17:40:52.031Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-12T21:25:50.832Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.