CVE-2025-64713

Name of the Vulnerable Software and Affected Versions WebAssembly Micro Runtime (WAMR) versions prior to 2.4.4

Description WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. An out-of-bounds array access issue exists in WAMR's fast interpreter mode during WASM bytecode loading. Specifically, when the frame ref bottom and frame offset bottom arrays are at capacity and a GET GLOBAL(I32) opcode is encountered, frame ref bottom is expanded, but frame offset bottom may not be. If an if opcode that triggers preserve local for block immediately follows, the function uses stack cell num as the upper bound when traversing arrays, leading to out-of-bounds access to frame offset bottom because it wasn't expanded to match the increased stack cell num.

Recommendations Update WebAssembly Micro Runtime (WAMR) to version 2.4.4 or later.