## Wasmtime Rust Crate Patches Memory Safety Flaw in WebAssembly Shared Memory Access
A security-focused update to the Wasmtime WebAssembly runtime addresses a soundness vulnerability that could expose Rust embedders to data race conditions. The patch, which upgrades the crate from version 26.0 to 36.0, resolves CVE-2025-64345 (GHSA-hc7m-r6v8-hg9q)—an unsound API interaction involving shared linear memory access that undermines Rust's memory safety guarantees.

The vulnerability exists within Wasmtime's `wasmtime::Memory` type, which provides Rust embedders with what the API represents as safe access to WebAssembly linear memory contents. The flaw emerges specifically with shared linear memories—memory regions that can be modified in parallel by WebAssembly threads. The API incorrectly exposes these shared memories through a type interface that claims safe access, but because the underlying memory can be concurrently modified, this creates conditions for data races in host Rust code. Such races can trigger undefined behavior, memory corruption, or potential exploitation vectors in applications that relied on Wasmtime's advertised safety properties.

The ten-version increment from 26.0 to 36.0 signals substantial remediation work, and the classification as a security update indicates the maintainers assessed the risk as significant. Projects embedding Wasmtime—particularly those executing untrusted WebAssembly modules or operating in multi-threaded environments—face elevated exposure. Organizations depending on Wasmtime for sandboxed execution should evaluate their use of shared memory features and prioritize this update, as code written against the affected API may have introduced latent vulnerabilities under the assumption of compiler-enforced safety.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: wasmtime, rust, CVE-2025-64345, memory-safety, webassembly
- **Credibility**: unverified
- **Published**: 2026-05-10 12:01:45
- **ID**: 81523
- **URL**: https://whisperx.ai/en/intel/81523