Source: rust-wasmtime Version: 26.0.1+dfsg-10 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 26.0.1+dfsg-4 Control: found -1 26.0.1+dfsg-3
Hi, The following vulnerability was published for rust-wasmtime. CVE-2025-64345[0]: | Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, | 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an | unsound interaction where a WebAssembly shared linear memory could | be viewed as a type which provides safe access to the host (Rust) to | the contents of the linear memory. This is not sound for shared | linear memories, which could be modified in parallel, and this could | lead to a data race in the host. Patch releases have been issued for | all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, | and 38.0.4. These releases reject creation of shared memories via | `Memory::new` and shared memories are now excluded from core dumps. | As a workaround, eembeddings affected by this issue should use | `SharedMemory::new` instead of `Memory::new` to create shared | memories. Affected embeddings should also disable core dumps if they | are unable to upgrade. Note that core dumps are disabled by default | but the wasm threads proposal (and shared memory) is enabled by | default. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-64345 https://www.cve.org/CVERecord?id=CVE-2025-64345 [1] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q [2] https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10 Regards, Salvatore
