CVE-2025-58749 is a vulnerability identified in the WebAssembly Micro Runtime (WAMR), a lightweight standalone runtime for executing WebAssembly (Wasm) programs. The issue affects versions of WAMR prior to 2.4.2 when operating in LLVM-JIT mode. Specifically, the vulnerability arises when executing WebAssembly programs containing the memory.fill instruction, where the first operand, a memory address pointer, is equal to or exceeds 2 GiB (2147483648 bytes). Under these conditions, the runtime fails to exit normally. In release builds, this results in the runtime hanging indefinitely, while in debug builds, it causes a crash due to dereferencing an invalid pointer. This behavior is attributed to an untrusted pointer dereference (CWE-822) and an integer overflow or related issue (CWE-190) in handling the memory address operand. Notably, this problem does not manifest when WAMR is running in FAST-JIT mode or when using other runtime tools, limiting the scope of the vulnerability to LLVM-JIT mode only. The issue has been addressed and fixed in version 2.4.2 of WAMR. The CVSS 4.0 base score is 2.1, indicating a low severity vulnerability, with an attack vector of local (AV:L), low complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on availability (VA:L) but no impact on confidentiality or integrity. No known exploits are reported in the wild at this time.

For European organizations utilizing WAMR in LLVM-JIT mode, this vulnerability could lead to denial-of-service conditions where the runtime hangs or crashes upon processing crafted WebAssembly modules containing the problematic memory.fill instruction with large memory pointers. Although the severity is low and the attack vector is local, the impact could disrupt services or applications relying on WAMR for Wasm execution, particularly in development, testing, or embedded environments where LLVM-JIT mode is preferred. Since the vulnerability does not compromise confidentiality or integrity, the primary risk is operational disruption. Organizations deploying WAMR in production environments with automated or unattended Wasm execution workflows may experience service interruptions or require manual intervention to recover from hangs or crashes. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental triggering by malformed Wasm modules. Given the increasing adoption of WebAssembly for edge computing, IoT, and cloud-native applications in Europe, this vulnerability could affect critical infrastructure components if WAMR is used without timely updates.

European organizations should prioritize upgrading WAMR to version 2.4.2 or later, where this vulnerability is fixed. For environments where immediate upgrade is not feasible, consider disabling LLVM-JIT mode and switching to FAST-JIT mode or other runtime tools that are not affected by this issue. Implement strict input validation and sandboxing for WebAssembly modules to prevent execution of untrusted or malformed Wasm code that could trigger the vulnerability. Monitoring runtime behavior for hangs or crashes can help detect exploitation attempts or accidental triggers. Additionally, integrate WAMR runtime updates into regular patch management cycles and conduct security testing of Wasm modules before deployment. For developers, avoid generating Wasm code that uses memory.fill instructions with large memory pointers in LLVM-JIT mode until the runtime is updated. Finally, maintain awareness of vendor advisories and community reports for any emerging exploits or related vulnerabilities.