CVE-2025-61670 — Missing Release of Resource after Effective Lifetime in Wasmtime

CWE-772 — Missing Release of Resource after Effective Lifetime2 documents2 sources

Severity

1.0LOWNVD

EPSS

0.0%

top 96.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedOct 7

Description

Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the `anyref` or `externref` WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If `anyref` or `externref` is not used in the C/C++ API then embeddings are also unaffected by the leaky behavior. The `wasmtime` Rust crate is unaffected by this leak. Development of Wasmtime 37.0.0 …

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Affected Packages3 packages

▶debiandebian/rust-wasmtime

▶CVEListV5bytecodealliance/wasmtime>= 37.0.0, < 37.0.2

▶NVDbytecodealliance/wasmtime37.0.0, 37.0.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

📋Vendor Advisories

Debian

CVE-2025-61670: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory le...↗2025

▶