Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered via web page (AV:N) with no privileges (PR:N) but victim must visit a page (UI:R) and precise heap/timing control is needed (AC:H); renderer memory corruption crossing into process code execution justifies S:C and full C/I/A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.
AnalysisAI
Reachable code execution in the Ladybird browser arises from a dangling-reference flaw (CWE-825) in the WebAssembly ESM-integration module loader, where a stack-local Wasm::FunctionType is captured by reference and read after destruction. A malicious web page can chain the resulting stale result-type data into an arbitrary write via the WASM-GC array.set handler and gain code execution in the WebContent process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to load attacker-controlled HTML in Ladybird (UI:A - active user interaction, e.g., visiting a page) and specifically requires the WebAssembly ESM-integration path: a WebAssembly module must import a JavaScript function via ESM so that WebAssemblyModule.cpp routes creation through create_host_function with the stack-local Wasm::FunctionType. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly aligned toward genuine severity but tempered by exploitation difficulty and deployment scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A victim using Ladybird navigates to an attacker-controlled web page that serves a crafted WebAssembly module using ESM integration to import a JavaScript function, triggering the dangling FunctionType reference. The stale result-type data yields an attacker-influenced value that the WASM-GC array.set handler bit-casts into an ArrayInstance pointer, giving an arbitrary write that is chained to code execution in the WebContent process. … |
| Remediation | No vendor-released patch version is identified in the available data; the references point only to the vulnerable source file on the master branch and the VulnCheck advisory, so users should upgrade to the latest Ladybird build once the maintainers publish a fix that removes the dangling FunctionType reference (track https://github.com/LadybirdBrowser/ladybird and the advisory at https://www.vulncheck.com/advisories/ladybird-web-reachable-code-execution-via-dangling-functiontype-reference-in-webassembly-esm-integration for the fixed commit/tag, and rebuild from source). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct an inventory of all systems running Ladybird browser and establish baseline usage patterns and business dependencies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-825 – Expired Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41130
GHSA-vm9p-mx69-hf3f