CVE-2025-64345

Nov. 12, 2025, 10:15 p.m.

1.8
Low

Description

Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.

Product(s) Impacted

Vendor Product Versions
Wasmtime
  • Wasmtime
  • <38.0.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wasmtime wasmtime <38.0.4 / / / / / / /

References

https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new
https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new
https://docs.wasmtime.dev/stability-release.html
https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10
https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q

Tags

security-advisories@github.com
CWE-362
2025-11-12
CVE-2025-64345

CVSS Score

1.8 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: Nov. 12, 2025, 10:15 p.m.
Last Modified: Nov. 12, 2025, 10:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.