CVE-2025-64345: 
Rust vulnerability analysis and mitigation

CVE-2025-64345 affects Wasmtime, a runtime for WebAssembly, prior to versions 38.0.4, 37.0.3, 36.0.3, and 24.0.5. The vulnerability exists in Wasmtime's Rust embedder API where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory, leading to potential data races (GitHub Advisory). The vulnerability was disclosed and patched on November 11, 2025.

The vulnerability stems from an unsound interaction in the API where shared linear memories could be incorrectly accessed through the wasmtime::Memory type instead of the required wasmtime::SharedMemory type. Two specific vectors were identified: the Memory::new constructor did not properly reject shared memory types, and core dumps would expose all linear memories as wasmtime::Memory, potentially causing unsynchronized reads of shared linear memory (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 1.8 (Low) with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability could lead to data races in the host when shared memories are created across threads. However, embeddings that do not use the WebAssembly threads proposal, do not create shared memories, or do not actually share shared memories across threads are unaffected (GitHub Advisory).

Patch releases have been issued for all supported versions of Wasmtime: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via Memory::new and exclude shared memories from core dumps. As a workaround, affected embeddings should use SharedMemory::new instead of Memory::new to create shared memories and disable core dumps if unable to upgrade. Note that core dumps are disabled by default, but the WebAssembly threads proposal and shared memory are enabled by default (GitHub Advisory).