CVE-2025-64345 is a concurrency vulnerability classified under CWE-362 (Race Condition) found in the Wasmtime WebAssembly runtime developed by bytecodealliance. Wasmtime allows embedding WebAssembly modules in host applications, with shared linear memory enabling concurrent threads to access the same memory region. Prior to versions 24.0.5, 36.0.3, 37.0.3, and 38.0.4, the Rust embedder API incorrectly allowed shared linear memory to be accessed via a type that assumes safe, exclusive access. This unsound assumption leads to potential data races when multiple threads modify the shared memory concurrently, causing undefined behavior and possible data corruption in the host environment. The vulnerability does not expose confidentiality breaches or availability disruptions but can compromise data integrity within the host process. Exploitation requires local access with high privileges and user interaction, making remote exploitation unlikely. The Wasmtime team patched this issue by rejecting shared memory creation through the unsafe Memory::new API and recommending the use of SharedMemory::new, which enforces proper synchronization. Additionally, shared memories are excluded from core dumps to prevent leakage of inconsistent memory states. Organizations embedding Wasmtime should upgrade to the fixed versions or apply the recommended API usage changes. If upgrading is not feasible, disabling core dumps is advised to reduce risk. No known exploits are reported in the wild, and the CVSS v3.1 score is low (1.8) due to the limited impact and exploitation complexity.

For European organizations, the primary impact of CVE-2025-64345 lies in potential data integrity issues within applications embedding Wasmtime, especially those leveraging shared linear memory for concurrent WebAssembly threads. While the vulnerability does not directly compromise confidentiality or availability, data races can lead to unpredictable application behavior, subtle corruption of in-memory data structures, and potential downstream logic errors. This can affect software development tools, cloud-native applications, or edge computing platforms that integrate Wasmtime for WebAssembly execution. Organizations relying on Wasmtime in critical infrastructure or security-sensitive environments may face increased risk of integrity violations, complicating debugging and potentially undermining trust in application correctness. The requirement for local high-privilege access and user interaction limits the threat surface primarily to insider threats or compromised hosts. However, given the growing adoption of WebAssembly runtimes in European tech sectors, unpatched deployments could inadvertently introduce stability and integrity risks. The exclusion of shared memories from core dumps mitigates some risk of sensitive data leakage during crash analysis. Overall, the impact is low but non-negligible for organizations embedding Wasmtime in complex concurrent environments.

1. Upgrade Wasmtime to the latest patched versions: 24.0.5, 36.0.3, 37.0.3, or 38.0.4 or later. 2. Modify embedding code to use SharedMemory::new instead of Memory::new when creating shared linear memories to ensure proper synchronization and soundness. 3. Disable core dumps in environments where upgrading or code changes are not immediately possible to prevent inconsistent memory state exposure. 4. Conduct code audits of Wasmtime embedding implementations to verify correct usage of shared memory APIs and absence of unsafe concurrency patterns. 5. Implement strict access controls to limit local high-privilege user access to hosts running Wasmtime to reduce exploitation risk. 6. Monitor Wasmtime runtime logs and application behavior for anomalies indicative of data races or memory corruption. 7. Educate development teams on safe concurrency practices when working with WebAssembly shared memory and Rust embedding APIs. 8. Consider sandboxing or isolating Wasmtime processes to contain potential integrity issues. 9. Stay informed on Wasmtime security advisories for any future updates or related vulnerabilities.