Improper access control in Wasmtime - CVE-2025-64345
Published: April 23, 2026
Vulnerability identifier: #VU127041
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-64345
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Bytecode Alliance
Affected software:
Wasmtime
Wasmtime
Detailed vulnerability description
The vulnerability allows a local privileged user to modify data in host memory.
The vulnerability exists due to improper access control in the wasmtime Rust embedder API when creating or exposing a WebAssembly shared linear memory as wasmtime::Memory. A local privileged user can create a shared memory with Memory::new or trigger a core dump that reads shared linear memory to modify data in host memory.
User interaction is required, and exploitation affects embeddings that create and share WebAssembly shared memories across threads.
How to mitigate CVE-2025-64345
Install security update from vendor's website.