Hi,

The following vulnerability was published for rust-wasmtime.

CVE-2025-64345[0]:
| Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4,
| 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an
| unsound interaction where a WebAssembly shared linear memory could
| be viewed as a type which provides safe access to the host (Rust) to
| the contents of the linear memory. This is not sound for shared
| linear memories, which could be modified in parallel, and this could
| lead to a data race in the host. Patch releases have been issued for
| all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3,
| and 38.0.4. These releases reject creation of shared memories via
| `Memory::new` and shared memories are now excluded from core dumps.
| As a workaround, eembeddings affected by this issue should use
| `SharedMemory::new` instead of `Memory::new` to create shared
| memories. Affected embeddings should also disable core dumps if they
| are unable to upgrade. Note that core dumps are disabled by default
| but the wasm threads proposal (and shared memory) is enabled by
| default.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-64345
https://www.cve.org/CVERecord?id=CVE-2025-64345
[1] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
[2] https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10

Regards,
Salvatore