CVE-2025-15572 – A memory leak vulnerability exists in wasm3 Web... (How to Fix)

Q: What is the severity of CVE-2025-15572?

CVE-2025-15572 has a CVSS score of 3.3 (LOW). A memory leak vulnerability exists in wasm3 WebAssembly interpreter versions up to 0.5.0 in the NewCodePage function. This allows local attackers to gradually exhaust system memory, potentially causing denial of service. The vulnerability affects systems running wasm3 with untrusted WebAssembly code execution.

📋 TL;DR

A memory leak vulnerability exists in wasm3 WebAssembly interpreter versions up to 0.5.0 in the NewCodePage function. This allows local attackers to gradually exhaust system memory, potentially causing denial of service. The vulnerability affects systems running wasm3 with untrusted WebAssembly code execution.

💻 Affected Systems

Products:

wasm3 WebAssembly interpreter

Versions: All versions up to and including 0.5.0

Operating Systems: All platforms where wasm3 runs (Linux, Windows, macOS, embedded systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires execution of malicious WebAssembly code. Systems using wasm3 to execute untrusted WebAssembly are at risk.

📦 What is this software?

Wasm3 by Wasm3 Project

View all CVEs affecting Wasm3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system memory exhaustion leading to denial of service, application crashes, and potential system instability affecting other services.

🟠

Likely Case

Gradual memory consumption causing performance degradation and eventual application crashes in affected wasm3 instances.

🟢

If Mitigated

Minimal impact if proper memory limits and monitoring are in place, with only isolated application crashes.

🌐 Internet-Facing: LOW - Attack requires local access to execute malicious WebAssembly code.

🏢 Internal Only: MEDIUM - Internal users with access to execute WebAssembly code could cause denial of service to affected applications.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Proof of concept available in GitHub repository. Exploitation requires ability to execute WebAssembly code locally. Project currently has no active maintainer.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - project has no active maintainer

Vendor Advisory: https://github.com/wasm3/wasm3/issues/550

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative WebAssembly runtimes or implementing workarounds.

🔧 Temporary Workarounds

Memory usage monitoring and limits

all

Implement memory usage monitoring and hard limits for wasm3 processes to prevent complete memory exhaustion

Use ulimit -v [memory_limit_in_kb] for Linux systems
Implement container memory limits for Docker deployments

Restrict WebAssembly code execution

all

Only allow execution of trusted, verified WebAssembly code in wasm3 environments

🧯 If You Can't Patch

Isolate wasm3 instances in containers with strict memory limits
Implement aggressive monitoring and alerting for abnormal memory consumption patterns
Consider migrating to maintained WebAssembly runtimes like Wasmtime or WAMR

🔍 How to Verify

Check if Vulnerable:

Check wasm3 version: if version is 0.5.0 or earlier, system is vulnerable. Test with provided PoC from GitHub repository.

Check Version:

wasm3 --version or check build/installation documentation for version information

Verify Fix Applied:

No official fix available. Verify workarounds by testing memory consumption with malicious WebAssembly code.

📡 Detection & Monitoring

Log Indicators:

Abnormal memory consumption patterns in wasm3 processes
Application crashes with out-of-memory errors
Repeated WebAssembly module loading failures

Network Indicators:

None - local vulnerability only

SIEM Query:

Process memory usage > threshold AND process_name contains 'wasm3'

📊 Metadata

CVE ID: CVE-2025-15572

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-401

EPSS Score: 0.02% exploit probability (4.8th percentile)

Published: February 10, 2026

Last Updated: February 12, 2026

🔗 References

https://github.com/oneafter/cve-proofs/blob/main/POC-20251203-07/repro Exploit
https://github.com/wasm3/wasm3/ Product
https://github.com/wasm3/wasm3/issues/550 Exploit,Issue Tracking
https://vuldb.com/?ctiid.344934 Permissions Required,VDB Entry
https://vuldb.com/?id.344934 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.752765 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15572, you might also want to check these: