PT-2026-54921 · Ladybird · Ladybird
Bikini
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-58592
CVSS v3.1
8.3
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ladybird (affected versions not specified)
Description
A memory-safety flaw exists in the WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path,
WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create host function(). The host callback captures this reference, which becomes dangling once the ESM link-loop iteration ends and the FunctionType is destroyed. This allows the host callback to return an empty result vector for a statically non-empty result, causing the destination register to retain an attacker-influenced value. This value is then consumed by the WASM-GC array.set handler, which performs a null check and bit-casts the reference low bits to an ArrayInstance pointer, leading to an arbitrary write. A web page can exploit this chain to achieve code execution within the WebContent process. This issue is reachable from HTML content without requiring instrumentation or source modification.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Type Confusion
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ladybird