CVE-2025-62711

EUVD-2025-35897
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
bytecodealliancewasmtime
38.0.0 ≤
𝑥
< 38.0.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-wasmtime
jammy
dne
noble
needs-triage
plucky
ignored
questing
needs-triage
Common Weakness Enumeration
References
https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5
https://github.com/bytecodealliance/wasmtime/pull/11592
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc