SB2026042398 - Improper access control in Wasmtime

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2025-64345)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local privileged user to modify data in host memory.

The vulnerability exists due to improper access control in the wasmtime Rust embedder API when creating or exposing a WebAssembly shared linear memory as wasmtime::Memory. A local privileged user can create a shared memory with Memory::new or trigger a core dump that reads shared linear memory to modify data in host memory.

User interaction is required, and exploitation affects embeddings that create and share WebAssembly shared memories across threads.

Remediation

Install update from vendor's website.

References

• https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
• https://github.com/advisories/GHSA-hc7m-r6v8-hg9q