Overview
CVE-2025-64704 is a medium severity vulnerability affecting WebAssembly Micro Runtime (WAMR), a lightweight standalone WebAssembly (Wasm) runtime. Specifically, versions prior to 2.4.4 are susceptible to a segmentation fault triggered by the v128.store instruction. This vulnerability could lead to denial-of-service (DoS) or potentially more severe consequences depending on the context in which WAMR is used.
Technical Details
The vulnerability lies in the handling of the v128.store instruction within WAMR. This instruction is used to store a 128-bit vector value in memory. Due to an error in the implementation prior to version 2.4.4, processing a crafted v128.store instruction can cause WAMR to attempt to access an invalid memory location, resulting in a segmentation fault. This crashes the runtime, potentially disrupting the execution of any applications relying on WAMR.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-64704 is 4.7 (Medium). The CVSS vector is not included here for brevity, but can be calculated based on the factors contributing to the score. This score indicates a potential vulnerability that can be exploited with relative ease and may cause disruption to service, but does not necessarily allow for remote code execution or data compromise in all scenarios.
Possible Impact
The primary impact of CVE-2025-64704 is a denial-of-service (DoS). An attacker could provide a malicious Wasm module containing a specially crafted v128.store instruction to trigger a segmentation fault in the WAMR runtime, causing it to crash. This could disrupt services that rely on WAMR for execution. The actual impact would depend on the specific use case of WAMR and its integration within a larger system. In some environments, it might be possible for an attacker to leverage this vulnerability further, but that is less likely.
Mitigation or Patch Steps
The vulnerability is patched in WAMR version 2.4.4. The recommended mitigation is to upgrade to version 2.4.4 or later. This resolves the issue with the v128.store instruction. If upgrading is not immediately feasible, consider carefully vetting any Wasm modules before deploying them to your WAMR environment. Specifically, review the wasm code for usage of `v128.store` instruction to minimise potential exploitation of the vulnerability.
