CVE-2024-27528
Description
wasm3 version 139076a has an invalid memory read in op_Select_i32_ssr, causing DoS and potential code execution via a crafted wasm file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
wasm3 version 139076a has an invalid memory read in op_Select_i32_ssr, causing DoS and potential code execution via a crafted wasm file.
Vulnerability
wasm3 version 139076a contains an invalid memory read vulnerability in the op_Select_i32_ssr function within m3_exec.h [1][2]. The issue is triggered when processing a specially crafted WebAssembly (wasm) file, leading to a segmentation fault as shown by AddressSanitizer output [1]. The affected build was created with GCC and AddressSanitizer enabled [1].
Exploitation
An attacker can exploit this vulnerability remotely or locally by supplying a malicious wasm file to the wasm3 interpreter [2]. The crash occurs during the execution of op_Select_i32_ssr when a crafted input causes an invalid memory read, as evidenced by the ASAN log showing a SEGV on an unknown address [1]. No authentication or user interaction beyond opening the file is required [2].
Impact
Successful exploitation leads to a denial of service due to the crash, and the description notes potential for arbitrary code execution [1][2]. The severity is high, and the attack can be launched remotely [2].
Mitigation
As of the latest references, no patch or fixed version has been released [1][2]. Users should avoid processing untrusted wasm files and monitor the wasm3 repository for updates. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- wasm3/wasm3description
- Range: = 139076a
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An invalid memory read occurs in the `op_Select_i32_ssr` function."
Attack vector
The vulnerability is triggered by a malformed WebAssembly module. When the `op_Select_i32_ssr` function attempts to read from an invalid memory address, it results in a segmentation fault. This can lead to a denial of service or potentially code execution.
Affected code
The vulnerability resides in the `op_Select_i32_ssr` function, located in `/root/Ablation/wasm3/source/m3_exec.h` at line 1099 [ref_id=1]. The ASAN log indicates that the crash occurs during the execution of this function.
What the fix does
The provided information does not include a patch or specific details on how the vulnerability is fixed. The advisory indicates that the issue is an invalid memory read in `op_Select_i32_ssr` [ref_id=1]. Further remediation guidance is not available in the bundle.
Preconditions
- inputA malformed WebAssembly module.
Reproduction
The bundle includes a PoC reference, but the reproduction steps are not detailed within the provided text.
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mhg9-mm8c-c683ghsaADVISORY
- gist.github.com/haruki3hhh/baa757c4af4fefb410d9c74d7a68152eghsa
- github.com/pypa/advisory-database/tree/main/vulns/pywasm3/PYSEC-2024-304.yamlghsa
- github.com/wasm3/pywasm3/blob/main/wasm3/m3_exec.hghsa
- github.com/wasm3/wasm3/issues/463ghsa
- nvd.nist.gov/vuln/detail/CVE-2024-27528ghsa
News mentions
0No linked articles in our index yet.