CVE-2024-27529
Description
wasm3 139076a contains memory leaks in Read_utf8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak vulnerability in wasm3's Read_utf8 function can be triggered by a crafted WebAssembly file, leading to denial of service.
Vulnerability
Overview
CVE-2024-27529 is a memory leak vulnerability in the Read_utf8 function of wasm3 version 139076a. The issue, confirmed via AddressSanitizer (ASan) logs, occurs in m3_core.c at line 501, where memory allocated by Read_utf8 is not properly freed, leading to a leak of at least 11 bytes after parsing a malicious WebAssembly binary [1][3][4].
Exploitation
Vector
The vulnerability is triggered by loading a crafted WebAssembly (Wasm) file into the wasm3 runtime. No authentication is required; exploitation can be achieved remotely by providing a malicious Wasm binary to the interpreter. The ASan report indicates that the leak originates from a call to calloc in m3_Malloc_Impl within the Read_utf8 routine [3][4].
Impact
An attacker can repeatedly trigger the memory leak by sending crafted Wasm files, potentially exhausting available memory and causing a denial of service (DoS). The entire wasm3 runtime is affected [4].
Mitigation
A pull request (#490) has been submitted to the wasm3 repository to address the leak, specifically releasing M3Module.memoryImport [1]. Users are advised to update to a patched version as soon as it becomes available. No known workarounds are documented [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/shareup/wasm-interpreter-appleSwiftURL | <= 0.8.1 | — |
pywasm3PyPI | <= 0.5.0 | — |
wasm3crates.io | <= 0.3.1 | — |
Affected products
4- wasm3/wasm3description
- ghsa-coords3 versions
<= 0.3.1+ 2 more
- (no CPE)range: <= 0.3.1
- (no CPE)range: <= 0.5.0
- (no CPE)range: <= 0.8.1
Patches
1526c1251b64efix: Releases M3Module.memoryImport. (#490)
3 files changed · +8 −0
source/m3_module.c+1 −0 modified@@ -40,6 +40,7 @@ void m3_FreeModule (IM3Module i_module) FreeImportInfo(&(i_module->globals[i].import)); } m3_Free (i_module->globals); + FreeImportInfo(&i_module->memoryImport); m3_Free (i_module); }
test/regression/github-462.wasm+0 −0 addedtest/regression/github-462.wat+7 −0 added@@ -0,0 +1,7 @@ +(module + (import "mod" "mem" (memory 0 1)) + (type (;0;) (func (result i32))) + (func (;0;) (type 0) (result i32) + i32.const 0 + ) + (export "_start" (func 0)))
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fmq6-4w57-2w3vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27529ghsaADVISORY
- gist.github.com/haruki3hhh/ac70bd83b9c0ed1de6289d818488da78ghsaWEB
- github.com/wasm3/wasm3/commit/526c1251b64e6e9fdc0d40c768ae46cd20338594ghsaWEB
- github.com/wasm3/wasm3/issues/462ghsaWEB
- github.com/wasm3/wasm3/pull/490ghsaWEB
News mentions
0No linked articles in our index yet.