← volver
CVE-2026-58592

Ladybird - Web-Reachable Code Execution via Dangling FunctionType Reference in WebAssembly ESM Integration

CVSS 8.9 HIGHEPSS 0.3%CWE-787CWE-825CWE-843
Vexday Risk Score
41Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 8.9EPSS 0.3%KEV nãoPoC públicaNuclei Metasploit Patch
Ciclo de vida
01 jul 2026Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Productos afectados
LadybirdBrowser · Ladybird
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.