CVE-2025-62711
published 2025-10-24CVE-2025-62711: Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in…
PriorityP412low3.1CVSS 3.1
AVNACHPRLUINSUCNINAL
EPSS
0.40%
32.3th percentile
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 38.0.0 < 38.0.3 | 38.0.3 |
| bytecodealliance | wasmtime | >= 38.0.0 < 38.0.3 | 38.0.3 |
| debian | rust-wasmtime | — | — |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv2.1LOW
vendor_debian2.1LOW
vendor_redhat2.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Wasmtime vulnerable to segfault when using component resources
osv·2025-10-27
CVE-2025-62711 [LOW] Wasmtime vulnerable to segfault when using component resources
Wasmtime vulnerable to segfault when using component resources
### Impact
The implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. This bug was introduced in the release of Wasmtime 38.0.0 and affects it subsequent patch releases of 38.0.1 and 38.0.2. No other versions of Wasmtime are affected.
In Wasmtime 38 the implementation of host-to-wasm trampolines was refactored to remove the old usage of `setjmp` and `longjmp` to unwind the stack. In this transition, however, trampolines for component-model intrinsics were accidentally not updated meaning that they didn't update runtime data structures as the o
GHSA
Wasmtime vulnerable to segfault when using component resources
ghsa·2025-10-27
CVE-2025-62711 [LOW] CWE-755 Wasmtime vulnerable to segfault when using component resources
Wasmtime vulnerable to segfault when using component resources
### Impact
The implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. This bug was introduced in the release of Wasmtime 38.0.0 and affects it subsequent patch releases of 38.0.1 and 38.0.2. No other versions of Wasmtime are affected.
In Wasmtime 38 the implementation of host-to-wasm trampolines was refactored to remove the old usage of `setjmp` and `longjmp` to unwind the stack. In this transition, however, trampolines for component-model intrinsics were accidentally not updated meaning that they didn't update runtime data structures as the o
OSV
CVE-2025-62711: Wasmtime is a runtime for WebAssembly
osv·2025-10-24·CVSS 2.1
CVE-2025-62711 [LOW] CVE-2025-62711: Wasmtime is a runtime for WebAssembly
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.
OSV
Possible host crash with host-to-wasm component intrinsics
osv·2025-07-18
CVE-2025-62711 Possible host crash with host-to-wasm component intrinsics
Possible host crash with host-to-wasm component intrinsics
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc
For more information see the GitHub-hosted security advisory.
Red Hat
wasmtime: Wasmtime vulnerable to segfault when using component resources
vendor_redhat·2025-10-24·CVSS 2.1
CVE-2025-62711 [LOW] CWE-755 wasmtime: Wasmtime vulnerable to segfault when using component resources
wasmtime: Wasmtime vulnerable to segfault when using component resources
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.
A Denial of Service vulnerability has been identified in the Wasmtime WebAssembly runtime, affecting versions 38.0.0 through 38.0.2. An attacker can exploit this flaw by providing a carefully crafted WebAssembly component and invoking it in a specific manner. This malicious action causes the host process
Debian
CVE-2025-62711: rust-wasmtime - Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3,...
vendor_debian·2025·CVSS 2.1
CVE-2025-62711 [LOW] CVE-2025-62711: rust-wasmtime - Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3,...
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.
Scope: local
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-24
Published