CVE-2025-15572 identifies a memory leak vulnerability in wasm3, an open-source WebAssembly interpreter, affecting all versions up to 0.5.0. The vulnerability resides in the NewCodePage function, which is responsible for managing code pages in the wasm3 runtime. Improper handling in this function leads to memory not being released correctly, causing a leak. Exploitation requires local access with limited privileges and does not need user interaction or elevated permissions. The leak can be triggered repeatedly to exhaust available memory, potentially leading to degraded performance or denial of service on the host system. Since wasm3 is often embedded in applications or used for local WebAssembly execution, this vulnerability could impact any system running vulnerable versions. The project currently lacks an active maintainer, and no official patches or fixes have been released, increasing the risk for users relying on this runtime. The CVSS 4.8 score reflects the medium severity, with low attack complexity but limited scope and impact. No known exploits are reported in the wild, but public disclosure means attackers could develop exploits. The vulnerability does not compromise data confidentiality or integrity but poses a risk to system stability and availability through resource exhaustion.

The primary impact of CVE-2025-15572 is resource exhaustion due to a memory leak, which can degrade system performance or cause denial of service conditions on affected hosts. Organizations using wasm3 in local environments or embedded systems may experience application crashes or system instability if the vulnerability is exploited. Although the attack requires local access and limited privileges, it could be leveraged by malicious insiders or through chained attacks involving local code execution. The lack of active maintenance and absence of patches increase the risk of prolonged exposure. Systems critical to operations that embed wasm3 could face availability issues, potentially disrupting services or workflows. However, since the vulnerability does not allow privilege escalation, remote exploitation, or data compromise, the overall impact is moderate. Organizations with high reliance on wasm3 or similar WebAssembly runtimes should consider the risk carefully, especially in environments where local user access is less controlled.

Given the absence of official patches or active maintainers, organizations should consider the following mitigations: 1) Avoid using vulnerable versions of wasm3 where possible; evaluate alternative WebAssembly runtimes with active maintenance and security support. 2) Restrict local access to systems running wasm3 to trusted users only, minimizing the risk of local exploitation. 3) Implement monitoring for unusual memory usage patterns or application crashes that could indicate exploitation attempts. 4) Employ containerization or sandboxing to isolate wasm3 execution environments, limiting the impact of resource exhaustion. 5) If source code access is available, consider community-driven patches or manual code audits to identify and fix the memory leak. 6) Maintain up-to-date backups and incident response plans to recover from potential denial of service scenarios. 7) Engage with the wasm3 community or security forums to track any unofficial patches or updates. These steps go beyond generic advice by focusing on access control, runtime isolation, and proactive monitoring tailored to the specific nature of the vulnerability and the current project maintenance status.