CVE-2025-64345

CVE-2025-64345 is a low-severity race condition vulnerability in wasmtime (rust), affecting versions >= 38.0.0, < 38.0.4. It is fixed in 38.0.4, 37.0.3, 36.0.3, 24.0.5.

Summary

Workarounds

Embeddings affected by this issue should use SharedMemory::new instead of Memory::new to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. It's recommended to upgrade to a patched version of Wasmtime, however.

Impact

Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.

Wasmtime has a wasmtime::Memory type which represents linear memories in a WebAssembly module. Wasmtime also has wasmtime::SharedMemory, however, which represents shared linear memories introduced in the WebAssembly threads proposal. The API of SharedMemory does not provide accessors which return &[u8] in Rust, for example, as that's not a sound type signature when other threads could be modifying memory. The wasmtime::Memory type, however, does provide this API as it's intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it's not sound to represent a shared linear memory with wasmtime::Memory and it must instead be represented with wasmtime::SharedMemory.

There were two different, erroneous, methods of creating a wasmtime::Memory which represents a shared memory however:

  1. The wasmtime::Memory::new constructor takes a MemoryType which could be shared. This function did not properly reject shared memory types and require usage of SharedMemory::new instead.
  2. Capturing a core dump with WebAssembly would expose all linear memories a wasmtime::Memory. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.

This is a bug in Wasmtime's safe Rust API. It should not be possible to cause unsoundness with Wasmtime's embedding API if unsafe is not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.

Multiple concurrent operations access a shared resource without proper synchronization, producing unpredictable results depending on timing. Typical impact: TOCTOU exploits, data corruption, or privilege escalation.

CVE-2025-64345 has a CVSS score of 1.8 (Low). The vector is requires local access, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (38.0.4, 37.0.3, 36.0.3, 24.0.5); upgrading removes the vulnerable code path.

Affected versions

wasmtime (>= 38.0.0, < 38.0.4) wasmtime (>= 37.0.0, < 37.0.3) wasmtime (>= 26.0.0, < 36.0.3) wasmtime (< 24.0.5)

Security releases

wasmtime → 38.0.4 (rust) wasmtime → 37.0.3 (rust) wasmtime → 36.0.3 (rust) wasmtime → 24.0.5 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via Memory::new and shared memories are now excluded from core dumps.

Frequently Asked Questions

  1. What is CVE-2025-64345? CVE-2025-64345 is a low-severity race condition vulnerability in wasmtime (rust), affecting versions >= 38.0.0, < 38.0.4. It is fixed in 38.0.4, 37.0.3, 36.0.3, 24.0.5. Multiple concurrent operations access a shared resource without proper synchronization, producing unpredictable results depending on timing.
  2. How severe is CVE-2025-64345? CVE-2025-64345 has a CVSS score of 1.8 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wasmtime are affected by CVE-2025-64345? wasmtime (rust) versions >= 38.0.0, < 38.0.4 is affected.
  4. Is there a fix for CVE-2025-64345? Yes. CVE-2025-64345 is fixed in 38.0.4, 37.0.3, 36.0.3, 24.0.5. Upgrade to this version or later.
  5. Is CVE-2025-64345 exploitable, and should I be worried? Whether CVE-2025-64345 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-64345 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-64345?
    • Upgrade wasmtime to 38.0.4 or later
    • Upgrade wasmtime to 37.0.3 or later
    • Upgrade wasmtime to 36.0.3 or later
    • Upgrade wasmtime to 24.0.5 or later

Other vulnerabilities in wasmtime

CVE-2026-44216CVE-2026-35186CVE-2026-34987CVE-2026-35195CVE-2026-34988

Stop the waste.
Protect your environment with Kodem.