CVE-2025-66627
HIGHwasmi 0.41.0-0.41.1 0.42.0-0.47.1 0.50.0-0.51.2 1.0.0 - Use-After-Free in Linear Memory Implementation
Title source: llmDescription
Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq
Scores
CVSS v3
8.4
EPSS
0.0013
EPSS Percentile
2.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-416
Status
published
Products (3)
crates.io/wasmi
0.41.0 - 0.41.2crates.io
wasmi-labs/wasmi
1.0.0
wasmi-labs/wasmi
0.41.0 - 0.41.2
Published
Dec 09, 2025
Tracked Since
Feb 18, 2026