Description
Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.
Published: 2026-07-01
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ladybird contains a memory‑safety flaw in its WebAssembly ESM‑integration module loader. When a JavaScript function is imported through the ESM path, a stack‑local Wasm::FunctionType is passed by reference to a host‑function creator. The host callback later reads this reference after the FunctionType has been destroyed, resulting in a dangling reference. Stale result‑type data causes the host callback to return an empty result vector for a non‑empty result, so the destination register contains an attacker‑controlled value that is then consumed by the WebAssembly GC array.set handler, which casts low bits of the value to an ArrayInstance pointer after only a null check. This sequence yields an arbitrary memory write that can be leveraged to execute code in the WebContent process. The vulnerability is scored at CVSS 8.9, indicating high severity.

Affected Systems

The affected product is the Ladybird web browser. No specific version numbers are listed in the CNA data, so any release of Ladybird that includes the WebAssembly ESM integration is potentially impacted.

Risk and Exploitability

The likely attack vector is a web page that imports a WebAssembly module via the ESM path. Based on the description, it is inferred that the victim simply needs to load such a page to trigger the vulnerability, with no additional user interaction required. The EPSS score of <1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA's KEV catalog, but the high CVSS score and the publicly reachable nature of the exploit mean that a successful attack could lead to arbitrary code execution in the browser's WebContent process.

Generated by OpenCVE AI on July 3, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ladybird browser release that contains the WebAssembly ESM module loader fix.
  • If an update is not available, disable WebAssembly ESM module loading or block .wasm file loading via browser policy settings.
  • As a temporary measure, enforce stricter sandboxing or restrict the privileges of the WebContent process to mitigate the impact of an arbitrary write.

Generated by OpenCVE AI on July 3, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Description Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.
Title Ladybird - Web-Reachable Code Execution via Dangling FunctionType Reference in WebAssembly ESM Integration
Weaknesses CWE-787
CWE-825
CWE-843
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-02T15:55:07.091Z

Reserved: 2026-07-01T17:20:57.549Z

Link: CVE-2026-58592

cve-icon Vulnrichment

Updated: 2026-07-02T15:27:48.054Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T15:15:15Z

Weaknesses
  • CWE-787

    Out-of-bounds Write

  • CWE-825

    Expired Pointer Dereference

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')