Bytecode Alliance WebAssembly Micro Runtime
Moderate fix1 remedy
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:*:*:*:*:*:*:*
Moderate fix1 remedy
- 2.4.1
WebAssembly Micro Runtime Memory Management Vulnerability in LLVM-JIT Mode
Vulnerability
Patched
A vulnerability exists in WebAssembly Micro Runtime (WAMR) versions prior to 2.4.2, specifically in LLVM-JIT mode. The issue arises when executing WebAssembly programs that include a memory.fill instruction with a memory address pointer of 2 GiB or more. In this scenario, the runtime fails to exit properly, causing a hang in release builds or a crash in debug builds due to invalid pointer access. This problem does not occur in FAST-JIT mode or with other runtime tools.
Impact
The vulnerability leads to a hang in release builds or a crash in debug builds, caused by accessing an invalid pointer.
Reproduction
To reproduce this vulnerability, create a WebAssembly module that includes a memory.fill instruction. Set the first operand, which specifies the memory address pointer, to a value greater than or equal to 2 GiB. When this WebAssembly program is executed in WAMR's LLVM-JIT mode, the runtime will hang or crash, demonstrating the vulnerability.
Remediation
Users can upgrade to WAMR version 2.4.2 or later, where this vulnerability has been fixed.
Added: Sep 16, 2025, 5:16 PM
Updated: Sep 16, 2025, 5:16 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
2.5exploitability
5.8remediation
7.7relevance
0.5threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.