Cyber Resilience

CVE-2025-15413

MediumPublic PoC

Published: 01 January 2026

Published
01 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.7th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15413 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wasm3 Project Wasm3. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-39 (Process Isolation).

Deeper analysis

CVE-2025-15413 is a memory corruption vulnerability (CWE-119, CWE-787) affecting wasm3 versions up to 0.5.0, specifically in the op_SetSlot_i32 and op_CallIndirect functions within the m3_exec.h file. Manipulation of these functions can lead to improper memory operations, such as out-of-bounds writes. The issue has a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low confidentiality, integrity, and availability impacts.

The vulnerability requires local access (AV:L) with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N). An attacker with local access could exploit it to cause memory corruption, potentially leading to limited disruption or data tampering as per the low impact scores. The exploit is public and available for use.

Advisories reference the wasm3 GitHub repository and issues #543 and #547, along with VulDB entries (ctiid.339334 and id.339334), but note no patches or fixes due to the project lacking an active maintainer. Security practitioners should avoid using affected wasm3 versions or isolate them in sandboxed environments.

Notably, the public exploit availability increases risk for deployments relying on this WebAssembly runtime, with no ongoing maintenance to address the issue.

EU & UK References

Vulnerability details

A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. Performing a manipulation results in memory corruption. The attack needs to be approached locally. The exploit is now public and may be…

more

used. Unfortunately, the project has no active maintainer at the moment.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption (out-of-bounds write) in a runtime binary directly enables exploitation for local privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1418Shared CWE-119, CWE-787
CVE-2026-20698Shared CWE-119, CWE-787
CVE-2026-0106Shared CWE-119, CWE-787
CVE-2025-0529Shared CWE-119, CWE-787
CVE-2025-1187Shared CWE-119, CWE-787
CVE-2026-3137Shared CWE-119, CWE-787
CVE-2026-2016Shared CWE-119, CWE-787
CVE-2025-20795Shared CWE-787
CVE-2025-20641Shared CWE-787
CVE-2025-71137Shared CWE-787

Affected Assets

wasm3 project
wasm3
≤ 0.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires discontinuing use of wasm3 (unsupported with no maintainer) once known memory-corruption flaws exist.

prevent

Process isolation confines the out-of-bounds write in op_SetSlot_i32/op_CallIndirect so corruption cannot affect other address spaces.

prevent

Memory-protection controls (e.g., ASLR, guard pages, W^X) reduce the likelihood and impact of the CWE-119/CWE-787 write.

References