Submit #719831: wasm3 v0.5.0 and master-branch Memory Corruptioninfo

Title	wasm3 v0.5.0 and master-branch Memory Corruption
Description	### Description We discovered a security vulnerability (Segmentation Fault) in Wasm3. The application crashes with a SEGV on READ access within the op_CallIndirect function. This crash is reproducible in RELEASE builds. This confirms that the issue is a memory safety defect (likely an Out-of-Bounds Read) affecting production configurations. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release - Tools: AddressSanitizer - Affected Version: `master branch` ### Vulnerability Details - Target: Wasm3 - Crash Type: Segmentation Fault (SEGV) on READ memory access - Location: op_CallIndirect (in m3_exec.h or generated core) - Crash Address: 0x53100003b188 Root Cause Analysis: The stack trace identifies op_CallIndirect as the crashing point. This opcode performs an indirect function call using an index into a table. The ASAN report indicates a READ violation. This suggests that the interpreter attempted to read function data from a table or stack location using an invalid index or pointer, without sufficient bounds checking. ### Reproduce ``` ./wasm3 repro ``` Download Link: [repro](https://github.com/oneafter/cve-proofs/blob/main/POC-20251203-04/repro) ASAN report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==4994==ERROR: AddressSanitizer: SEGV on unknown address 0x53100003b188 (pc 0x561992868352 bp 0x52d000000440 sp 0x7ffe4d888c20 T0) ==4994==The signal is caused by a READ memory access. #0 0x561992868352 in op_CallIndirect (/src/repro/wasm3/build/wasm3+0x54352) #1 0x56199286fe29 in m3_CallArgv (/src/repro/wasm3/build/wasm3+0x5be29) #2 0x561992833aae in repl_call (/src/repro/wasm3/build/wasm3+0x1faae) #3 0x561992831034 in main (/src/repro/wasm3/build/wasm3+0x1d034) #4 0x7f18178e91c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) #5 0x7f18178e928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) #6 0x561992832fe4 in _start (/src/repro/wasm3/build/wasm3+0x1efe4) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/src/repro/wasm3/build/wasm3+0x54352) in op_CallIndirect ==4994==ABORTING ```
Source	⚠️ https://github.com/wasm3/wasm3/issues/547
User	Oneafter (UID 92781)
Submission	12/19/2025 10:53 (4 months ago)
Moderation	01/01/2026 10:23 (13 days later)
Status	Duplicate
VulDB entry	339334 [wasm3 up to 0.5.0 m3_exec.h op_SetSlot_i32/op_CallIndirect memory corruption]
Points	0

◂ Previous Overview Next ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!