CVE-2025-66627 | THREATINT

Description

Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible.

PUBLISHED Reserved 2025-12-05 | Published 2025-12-09 | Updated 2025-12-09 | Assigner GitHub_M

HIGH: 8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-416: Use After Free

Product status

>= 0.41.0, < 0.41.2

affected

>= 0.42.0, < 0.47.1

affected

>= 0.50.0, < 0.51.3

affected

>= 1.0.0, < 1.0.1

affected

References

github.com/.../wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq

cve.org (CVE-2025-66627)

nvd.nist.gov (CVE-2025-66627)

Download JSON