CVE-2025-64345: Wasmtime provides unsound API access to a WebAssembly shared linear memory
(updated )
Wasmtime’s Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.
Wasmtime has a wasmtime::Memory type which represents linear memories in a WebAssembly module. Wasmtime also has wasmtime::SharedMemory, however, which represents shared linear memories introduced in the WebAssembly threads proposal. The API of SharedMemory does not provide accessors which return &[u8] in Rust, for example, as that’s not a sound type signature when other threads could be modifying memory. The wasmtime::Memory type, however, does provide this API as it’s intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it’s not sound to represent a shared linear memory with wasmtime::Memory and it must instead be represented with wasmtime::SharedMemory.
There were two different, erroneous, methods of creating a wasmtime::Memory which represents a shared memory however:
- The
wasmtime::Memory::newconstructor takes aMemoryTypewhich could beshared. This function did not properly reject shared memory types and require usage ofSharedMemory::newinstead. - Capturing a core dump with WebAssembly would expose all linear memories a
wasmtime::Memory. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.
This is a bug in Wasmtime’s safe Rust API. It should not be possible to cause unsoundness with Wasmtime’s embedding API if unsafe is not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.
References
- docs.rs/wasmtime/latest/wasmtime/struct.Memory.html
- docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html
- docs.wasmtime.dev/stability-release.html
- github.com/advisories/GHSA-hc7m-r6v8-hg9q
- github.com/bytecodealliance/wasmtime
- github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10
- github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
- nvd.nist.gov/vuln/detail/CVE-2025-64345
- rustsec.org/advisories/RUSTSEC-2025-0118.html
Code Behaviors & Features
Detect and mitigate CVE-2025-64345 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →