bytecodealliance wasmtime up to 24.0.4/36.0.2/37.0.2/38.0.3 Shared Memory Page Memory::new race condition

Summaryinfo

A vulnerability was found in bytecodealliance wasmtime up to 24.0.4/36.0.2/37.0.2/38.0.3. It has been rated as problematic. This impacts the function Memory::new of the component Shared Memory Page Handler. The manipulation leads to race condition. This vulnerability is uniquely identified as CVE-2025-64345. Local access is required to approach this attack. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in bytecodealliance wasmtime up to 24.0.4/36.0.2/37.0.2/38.0.3. It has been rated as problematic. This issue affects the function Memory::new of the component Shared Memory Page Handler. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Impacted is integrity. The summary by CVE is:

Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-64345 since 10/30/2025. The exploitation is known to be difficult. An attack has to be approached locally. Additional levels of successful authentication are required for exploitation. Technical details are known, but no exploit is available.

Upgrading to version 24.0.5, 36.0.3, 37.0.3 or 38.0.4 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-131930). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• bytecodealliance

Name

• wasmtime

Version

• 24.0.0
• 24.0.1
• 24.0.2
• 24.0.3
• 24.0.4
• 36.0.0
• 36.0.1
• 36.0.2
• 37.0.0
• 37.0.1
• 37.0.2
• 38.0.0
• 38.0.1
• 38.0.2
• 38.0.3

License

• open-source

Website

• Product: https://github.com/bytecodealliance/wasmtime/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion