← back
CVE-2025-66627

Wasmi's Linear Memory has a Critical Use After Free Vulnerability

CVSS 8.4 HIGHEPSS 0.1%CWE-416
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.4EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
wasmi-labs · wasmi