Wasm3 Memory Leak Vulnerability in NewCodePage Function

A memory leak vulnerability has been identified in Wasm3 versions through 0.5.0, specifically within the NewCodePage function. This issue arises when the interpreter encounters a runtime error related to the stack's value count. The error handling process aborts execution but fails to release a substantial amount of allocated memory, approximately 263 MB. This vulnerability requires local exploitation and has been publicly disclosed, although the Wasm3 project currently lacks an active maintainer.

Impact

Exploitation of this vulnerability leads to a significant resource exhaustion, causing a denial-of-service condition. The memory leak occurs in the error handling path after a runtime validation failure, allowing for rapid consumption of system memory. In embedded environments or long-running services that utilize Wasm3, this behavior can result in out-of-memory crashes and service unavailability.

Reproduction

The vulnerability can be reproduced by using the Wasm3 interpreter to execute a WebAssembly module that triggers the specific runtime error related to the stack's value count. This can be done by providing a crafted WebAssembly module that causes the interpreter to encounter the error, leading to the memory leak.