CVE-2025-62711 — Improper Handling of Exceptional Conditions in Wasmtime

CWE-755 — Improper Handling of Exceptional Conditions7 documents5 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 98.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedOct 24

Latest updateOct 27

Description

Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Affected Packages4 packages

▶NVDbytecodealliance/wasmtime38.0.0 — 38.0.3

▶crates.iobytecodealliance/wasmtime38.0.0 — 38.0.3

▶debiandebian/rust-wasmtime

▶CVEListV5bytecodealliance/wasmtime>= 38.0.0, < 38.0.3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Wasmtime vulnerable to segfault when using component resources↗2025-10-27

▶

GHSA

Wasmtime vulnerable to segfault when using component resources↗2025-10-27

▶

OSV

CVE-2025-62711: Wasmtime is a runtime for WebAssembly↗2025-10-24

▶

OSV

Possible host crash with host-to-wasm component intrinsics↗2025-07-18

▶

📋Vendor Advisories

Red Hat

wasmtime: Wasmtime vulnerable to segfault when using component resources↗2025-10-24

▶

Debian

CVE-2025-62711: rust-wasmtime - Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3,...↗2025

▶