CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-58749 – WAMR runtime hangs or crashes with large memory.fill addresses in LLVM-JIT mode
https://notcve.org/view.php?id=CVE-2025-58749
16 Sep 2025 — WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. In WAMR versions prior to 2.4.2, when running in LLVM-JIT mode, the runtime cannot exit normally when executing WebAssembly programs containing a memory.fill instruction where the first operand (memory address pointer) is greater than or equal to 2147483648 bytes (2GiB). This causes the runtime to hang in release builds or crash in debug builds due to accessing an invalid pointer. The issue does not occur in FAST-JIT mo... • https://github.com/bytecodealliance/wasm-micro-runtime/commit/95f506a6e77d3ac7588eac7263f95558edfa7f3b • CWE-190: Integer Overflow or Wraparound CWE-822: Untrusted Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-52284
https://notcve.org/view.php?id=CVE-2023-52284
31 Dec 2023 — Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1.3.0 can have an "double free or corruption" error for a valid WebAssembly module because push_pop_frame_ref_offset is mishandled. Bytecode Alliance wasm-micro-runtime (también conocido como WebAssembly Micro Runtime o WAMR) anterior a 1.3.0 puede tener un error de "double free or corruption" para un módulo WebAssembly válido porque push_pop_frame_ref_offset no se maneja correctamente. • https://github.com/bytecodealliance/wasm-micro-runtime/compare/WAMR-1.2.3...WAMR-1.3.0 • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48105
https://notcve.org/view.php?id=CVE-2023-48105
22 Nov 2023 — An heap overflow vulnerability was discovered in Bytecode alliance wasm-micro-runtime v.1.2.3 allows a remote attacker to cause a denial of service via the wasm_loader_prepare_bytecode function in core/iwasm/interpreter/wasm_loader.c. Se descubrió una vulnerabilidad de desbordamiento del heap en Bytecode alliance wasm-micro-runtime v.1.2.3 que permite a un atacante remoto provocar una denegación de servicio a través de la función wasm_loader_prepare_bytecode en core/iwasm/interpreter/wasm_loader.c. • http://bytecode.com • CWE-787: Out-of-bounds Write •