CVE-2025-15413
Published: 01 January 2026
Summary
CVE-2025-15413 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wasm3 Project Wasm3. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (out-of-bounds write) in a runtime binary directly enables exploitation for local privilege escalation.
NVD Description
A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. Performing a manipulation results in memory corruption. The attack needs to be approached locally. The exploit is now public and may be…
more
used. Unfortunately, the project has no active maintainer at the moment.
Deeper analysisAI
CVE-2025-15413 is a memory corruption vulnerability (CWE-119, CWE-787) affecting wasm3 versions up to 0.5.0, specifically in the op_SetSlot_i32 and op_CallIndirect functions within the m3_exec.h file. Manipulation of these functions can lead to improper memory operations, such as out-of-bounds writes. The issue has a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low confidentiality, integrity, and availability impacts.
The vulnerability requires local access (AV:L) with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N). An attacker with local access could exploit it to cause memory corruption, potentially leading to limited disruption or data tampering as per the low impact scores. The exploit is public and available for use.
Advisories reference the wasm3 GitHub repository and issues #543 and #547, along with VulDB entries (ctiid.339334 and id.339334), but note no patches or fixes due to the project lacking an active maintainer. Security practitioners should avoid using affected wasm3 versions or isolate them in sandboxed environments.
Notably, the public exploit availability increases risk for deployments relying on this WebAssembly runtime, with no ongoing maintenance to address the issue.
Details
- CWE(s)