CVE-2025-8028
Unknown · WebAssembly / WASM Engine
A memory-related vulnerability in WASM `br_table` instructions on arm64 can lead to incorrect branch address calculation and potential code execution.
Executive summary
A critical vulnerability in the WASM br_table instruction processing on arm64 architectures may allow for incorrect memory addressing and potential exploitation.
Vulnerability
This is a memory-related flaw triggered during the execution of a WASM br_table instruction on arm64 systems. The issue arises when a large number of table entries causes label truncation, resulting in an incorrect branch address calculation.
Business impact
The ability to influence branch addresses in an execution engine is a critical flaw that can lead to arbitrary code execution or application crashes. With a CVSS score of 9.8, this vulnerability poses an extreme threat to system integrity, particularly in environments relying on WASM for sandboxed or high-performance code execution.
Remediation
Immediate Action: Identify and update all software components utilizing WASM runtimes on arm64 architecture to the latest vendor-provided versions.
Proactive Monitoring: Monitor for abnormal application crashes or unexpected instruction pointer behavior in logs, which may indicate attempted exploitation.
Compensating Controls: Where possible, restrict the execution of untrusted WASM modules and ensure that host systems have hardware-level memory protections enabled.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
The criticality of this vulnerability cannot be overstated given its potential to bypass execution sandboxing. Administrators should prioritize updating any software stack that processes WASM modules on arm64 platforms to mitigate the risk of arbitrary code execution.