| Name | CVE-2025-62711 |
| Description | Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| rust-wasmtime (PTS) | trixie | 26.0.1+dfsg-3 | fixed |
| forky | 26.0.1+dfsg-4 | fixed | |
| sid | 27.0.0+dfsg-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| rust-wasmtime | source | (unstable) | (not affected) |
- rust-wasmtime <not-affected> (Vulnerable code introduced later)
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc
Introduced due: https://github.com/bytecodealliance/wasmtime/pull/11592
Introduced with: https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5 (v38.0.1)
Fixed by: https://github.com/bytecodealliance/wasmtime/commit/c3d448cd14858e280801f93b9a8a1897a423e769 (v38.0.3)
https://rustsec.org/advisories/RUSTSEC-2025-0112.html