Impact
Ladybird contains a memory‑safety flaw in its WebAssembly ESM‑integration module loader. When a JavaScript function is imported through the ESM path, a stack‑local Wasm::FunctionType is passed by reference to a host‑function creator. The host callback later reads this reference after the FunctionType has been destroyed, resulting in a dangling reference. Stale result‑type data causes the host callback to return an empty result vector for a non‑empty result, so the destination register contains an attacker‑controlled value that is then consumed by the WebAssembly GC array.set handler, which casts low bits of the value to an ArrayInstance pointer after only a null check. This sequence yields an arbitrary memory write that can be leveraged to execute code in the WebContent process. The vulnerability is scored at CVSS 8.9, indicating high severity.
Affected Systems
The affected product is the Ladybird web browser. No specific version numbers are listed in the CNA data, so any release of Ladybird that includes the WebAssembly ESM integration is potentially impacted.
Risk and Exploitability
The likely attack vector is a web page that imports a WebAssembly module via the ESM path. Based on the description, it is inferred that the victim simply needs to load such a page to trigger the vulnerability, with no additional user interaction required. The EPSS score of <1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA's KEV catalog, but the high CVSS score and the publicly reachable nature of the exploit mean that a successful attack could lead to arbitrary code execution in the browser's WebContent process.
OpenCVE Enrichment