CVE-2025-15572 identifies a memory leak vulnerability in the wasm3 WebAssembly interpreter, specifically affecting the NewCodePage function in versions 0.1 through 0.5.0. wasm3 is a lightweight WebAssembly runtime often embedded in local applications and devices. The vulnerability arises from improper memory management during code page allocation, leading to gradual memory leakage when the function is invoked. Exploitation requires local access with low privileges and no user interaction, meaning an attacker must already have some foothold on the system. The memory leak can cause resource exhaustion, potentially degrading system performance or causing denial of service conditions over time. The vulnerability has been publicly disclosed, but no patches or fixes exist due to the absence of an active maintainer for the wasm3 project. No known exploits have been observed in the wild yet, but the public disclosure increases the risk of exploitation attempts. The CVSS 4.8 score reflects medium severity, considering the local attack vector, low complexity, and limited impact confined to availability degradation. The vulnerability does not affect confidentiality or integrity. Given wasm3's use in embedded systems and local applications, the threat mainly targets environments where wasm3 is deployed locally rather than exposed remotely.

For European organizations, the primary impact of CVE-2025-15572 is on system availability and stability. Systems embedding wasm3 could experience gradual memory exhaustion leading to crashes or degraded performance, potentially disrupting critical local applications or embedded devices. This could affect sectors relying on embedded WebAssembly runtimes such as IoT device manufacturers, industrial automation, and software development environments. Since exploitation requires local access, the risk is higher in environments with multiple users or where attackers can gain initial access through other means. The lack of an active maintainer and absence of patches complicate remediation efforts, increasing exposure duration. While no direct data breach or integrity compromise is expected, denial of service or system instability could indirectly impact business operations and service continuity. Organizations with strict uptime requirements or those operating critical infrastructure should be particularly cautious. The medium severity rating suggests the threat is manageable but warrants proactive mitigation.

Given the absence of official patches, European organizations should implement compensating controls to mitigate CVE-2025-15572. First, restrict local access to systems running wasm3 to trusted users only, employing strong authentication and access controls. Monitor memory usage closely on affected systems to detect abnormal leaks early and trigger alerts. Consider isolating wasm3 processes in containers or sandboxes to limit impact scope. Evaluate the feasibility of replacing wasm3 with alternative actively maintained WebAssembly runtimes that do not exhibit this vulnerability. For development environments, enforce strict code review and limit use of vulnerable wasm3 versions. Maintain up-to-date backups and incident response plans to handle potential denial of service scenarios. Engage with the wasm3 community or consider forking the project to develop internal patches if feasible. Finally, educate local administrators and users about the risk of local exploitation and the importance of minimizing unnecessary local access.