๐Ÿ” CVE Alert

CVE-2026-58592

HIGH 8.3

Ladybird - Web-Reachable Code Execution via Dangling FunctionType Reference in WebAssembly ESM Integration

CVSS Score
8.3
EPSS Score
0.3%
EPSS Percentile
23th

Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.

CWE CWE-825 CWE-843 CWE-787
Vendor ladybirdbrowser
Product ladybird
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for ladybirdbrowser ladybird

Be the first to know when new high vulnerabilities affecting ladybirdbrowser ladybird are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

LadybirdBrowser / Ladybird
0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/bikini/exploitarium/tree/main/ladybird-wasm-esm-host-function-rce-poc github.com: https://github.com/LadybirdBrowser/ladybird/blob/master/Libraries/LibWeb/WebAssembly/WebAssemblyModule.cpp vulncheck.com: https://www.vulncheck.com/advisories/ladybird-web-reachable-code-execution-via-dangling-functiontype-reference-in-webassembly-esm-integration