Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3102 articles · 171983 vulns · 36/41 feeds (7d)
← Back to list
8.3
CVE-2026-58592EXPLOITED
apple · ladybird

Ladybird - Web-Reachable Code Execution via Dangling FunctionType Reference in WebAssembly ESM Integration

Description

Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.

Affected Products

VendorProductVersions
appleladybird0

References

  • https://github.com/bikini/exploitarium/tree/main/ladybird-wasm-esm-host-function-rce-poc(exploit)
  • https://github.com/LadybirdBrowser/ladybird/blob/master/Libraries/LibWeb/WebAssembly/WebAssemblyModule.cpp(product)
  • https://www.vulncheck.com/advisories/ladybird-web-reachable-code-execution-via-dangling-functiontype-reference-in-webassembly-esm-integration(third-party-advisory)

Related News (1 articles)

Tier C
VulDB5d ago
CVE-2026-58592 | LadybirdBrowser Ladybird WebAssembly WebAssemblyModule.cpp expired pointer dereference
→ No new info (linked only)
CVSS 3.18.3 HIGH
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-825, CWE-843, CWE-787
PublishedJul 1, 2026
Last enriched5d agov2
Trending Score25
Source articles1
Independent1
Info Completeness9/14
Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-39868
CVE-2026-39868: This issue was addressed with improved input validation. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Taho
Trending: 24
CRITICALCVE-2026-43715EXP
CVE-2026-43715: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a
Trending: 23
CRITICALCVE-2026-43731EXP
CVE-2026-43731: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a
Trending: 23
CRITICALCVE-2026-43746EXP
CVE-2026-43746: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a
Trending: 22
CRITICALCVE-2026-43720EXP
CVE-2026-43720: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a
Trending: 22

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 1, 2026
Discovered by ZDM
Jul 1, 2026
Updated: severity, exploitAvailable, activelyExploited
Jul 1, 2026
Actively Exploited
Jul 2, 2026
Exploit Available
Jul 2, 2026

Version History

v2
Last enriched 5d ago
v2Tier C5d ago

Updated severity to CRITICAL and marked exploit as available and actively exploited.

severityexploitAvailableactivelyExploited
via VulDB
v15d ago

Initial creation