Submit #719829: wasm3 v0.5.0 and master-branch Memory Corruptioninfo

Title	wasm3 v0.5.0 and master-branch Memory Corruption
Description	### Description We discovered a critical security vulnerability in Wasm3. The application crashes with a Segmentation Fault (SEGV) on WRITE within the op_SetSlot_i32 function. Crucially, this crash is reproducible in RELEASE builds. This indicates that the vulnerability is a memory corruption issue (Out-of-Bounds Write) present in production-optimized binaries. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release - Tools: AddressSanitizer - Affected Version: `master branch` ### Vulnerability Details - Target: Wasm3 - Crash Type: Segmentation Fault (SEGV) on WRITE memory access - Location: op_SetSlot_i32 (in m3_exec.h or generated core) - Crash Address: 0x53100003b188 (Likely a stack guard page or invalid boundary) Root Cause Analysis: The stack trace points to op_SetSlot_i32. This opcode is responsible for writing a 32-bit integer value into a specific slot on the Wasm interpreter stack. The ASAN report explicitly states: The signal is caused by a WRITE memory access. This suggests that the interpreter failed to properly validate the slot index or the stack boundary before attempting to write data, leading to an Out-of-Bounds Write. Since this is a write violation, it poses a high risk of memory corruption or potential code execution. The crash occurs during a memory read access at address 0x0, a direct signature of a Null Pointer Dereference. The Program Counter (PC) is also zero, suggesting the program attempted to call a function using a NULL pointer. ### Reproduce ``` ./wasm3 repro ``` Download Link: [repro](https://github.com/oneafter/cve-proofs/blob/main/POC-20251203-01/repro) ASAN report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==5194==ERROR: AddressSanitizer: SEGV on unknown address 0x53100003b188 (pc 0x55fb5a18f373 bp 0x000000000000 sp 0x7fff2915a9a0 T0) ==5194==The signal is caused by a WRITE memory access. #0 0x55fb5a18f373 in op_SetSlot_i32 (/src/repro/wasm3/build/wasm3+0x36373) #1 0x55fb5a1b4e29 in m3_CallArgv (/src/repro/wasm3/build/wasm3+0x5be29) #2 0x55fb5a178aae in repl_call (/src/repro/wasm3/build/wasm3+0x1faae) #3 0x55fb5a176034 in main (/src/repro/wasm3/build/wasm3+0x1d034) #4 0x7f9095c821c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) #5 0x7f9095c8228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) #6 0x55fb5a177fe4 in _start (/src/repro/wasm3/build/wasm3+0x1efe4) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/src/repro/wasm3/build/wasm3+0x36373) in op_SetSlot_i32 ==5194==ABORTING ```
Source	⚠️ https://github.com/wasm3/wasm3/issues/543
User	Oneafter (UID 92781)
Submission	12/19/2025 10:52 (4 months ago)
Moderation	01/01/2026 10:23 (13 days later)
Status	Accepted
VulDB entry	339334 [wasm3 up to 0.5.0 m3_exec.h op_SetSlot_i32/op_CallIndirect memory corruption]
Points	20

◂ Previous Overview Next ▸

Might our Artificial Intelligence support you?

Check our Alexa App!