CVE-2025-53901 — Operation on a Resource after Expiration or Release in Wasmtime

CWE-672 — Operation on a Resource after Expiration or Release6 documents4 sources

Severity

3.5LOWNVD

EPSS

0.1%

top 69.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedJul 18

Description

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the s…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:LExploitability: 2.1 | Impact: 1.4

Affected Packages4 packages

▶NVDbytecodealliance/wasmtime33.0.0 — 33.0.2+2

▶crates.iobytecodealliance/wasmtime10.0.0 — 24.0.4+3

▶debiandebian/rust-wasmtime

▶CVEListV5bytecodealliance/wasmtime>= 33.0.0, < 33.0.2, >= 34.0.0, < 34.0.2+1

🔴Vulnerability Details

OSV

Host panic with `fd_renumber` WASIp1 function↗2025-07-18

▶

OSV

Wasmtime CLI is vulnerable to host panic through its fd_renumber function↗2025-07-18

▶

GHSA

Wasmtime CLI is vulnerable to host panic through its fd_renumber function↗2025-07-18

▶

OSV

CVE-2025-53901: Wasmtime is a runtime for WebAssembly↗2025-07-18

▶

📋Vendor Advisories

Debian

CVE-2025-53901: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34....↗2025

▶