CVE-2025-15413
Published: 01 January 2026
Summary
CVE-2025-15413 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wasm3 Project Wasm3. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-39 (Process Isolation).
Deeper analysis
CVE-2025-15413 is a memory corruption vulnerability (CWE-119, CWE-787) affecting wasm3 versions up to 0.5.0, specifically in the op_SetSlot_i32 and op_CallIndirect functions within the m3_exec.h file. Manipulation of these functions can lead to improper memory operations, such as out-of-bounds writes. The issue has a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low confidentiality, integrity, and availability impacts.
The vulnerability requires local access (AV:L) with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N). An attacker with local access could exploit it to cause memory corruption, potentially leading to limited disruption or data tampering as per the low impact scores. The exploit is public and available for use.
Advisories reference the wasm3 GitHub repository and issues #543 and #547, along with VulDB entries (ctiid.339334 and id.339334), but note no patches or fixes due to the project lacking an active maintainer. Security practitioners should avoid using affected wasm3 versions or isolate them in sandboxed environments.
Notably, the public exploit availability increases risk for deployments relying on this WebAssembly runtime, with no ongoing maintenance to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0004
Vulnerability details
A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. Performing a manipulation results in memory corruption. The attack needs to be approached locally. The exploit is now public and may be…
more
used. Unfortunately, the project has no active maintainer at the moment.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (out-of-bounds write) in a runtime binary directly enables exploitation for local privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires discontinuing use of wasm3 (unsupported with no maintainer) once known memory-corruption flaws exist.
Process isolation confines the out-of-bounds write in op_SetSlot_i32/op_CallIndirect so corruption cannot affect other address spaces.
Memory-protection controls (e.g., ASLR, guard pages, W^X) reduce the likelihood and impact of the CWE-119/CWE-787 write.