CVE-2025-64345

Name of the Vulnerable Software and Affected Versions Wasmtime versions 24.0.0 through 24.0.4 Wasmtime versions 36.0.0 through 36.0.2 Wasmtime versions 37.0.0 through 37.0.2 Wasmtime versions 38.0.0 through 38.0.3

Description Wasmtime’s Rust embedder API has an issue where a WebAssembly shared linear memory could be incorrectly treated as a type providing safe access to the host (Rust) for the linear memory’s contents. This is problematic for shared linear memories, which can be modified concurrently, potentially leading to a data race in the host environment. The issue arises from the use of wasmtime::Memory to represent shared linear memories instead of wasmtime::SharedMemory. Specifically, the wasmtime::Memory::new constructor did not properly prevent the creation of wasmtime::Memory instances for shared memory types, and core dumps could expose shared linear memories, leading to unsynchronized reads. The API of wasmtime::SharedMemory does not provide accessors which return &[u8] in Rust, as that's not a sound type signature when other threads could be modifying memory.

Recommendations Wasmtime versions 24.0.0 through 24.0.4: Upgrade to version 24.0.5 or later. Wasmtime versions 36.0.0 through 36.0.2: Upgrade to version 36.0.3 or later. Wasmtime versions 37.0.0 through 37.0.2: Upgrade to version 37.0.3 or later. Wasmtime versions 38.0.0 through 38.0.3: Upgrade to version 38.0.4 or later. As a temporary workaround, use SharedMemory::new instead of Memory::new to create shared memories. Disable core dumps if upgrading is not immediately possible.