OFFSITE.DARK
← Signals

Jul 1, 2026

2 min

Exploitarium

  • ladybird
  • wasm
  • browser
  • rce
  • exploitarium

news

Ladybird WebAssembly ESM Host Function RCE PoC

Dangling Wasm FunctionType reference plus memory64 ImageData leak chains to native code execution in WebContent — marker touch /tmp/ladybird_wasm_esm_rce.

Summary

Ladybird's ESM WebAssembly import path passes a stack-local FunctionType by reference into a long-lived host callback; stale result metadata lets array.set consume a forged GC reference and write through attacker-shaped native memory. A separate memory64 ImageData/WebGL leak recovers liblagom-wasm and libc bases for a setcontext chain that executes touch /tmp/ladybird_wasm_esm_rce in the WebContent process. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetLadybird @ 31bb4d872d802c78ce23d2f273a300f36e8ef6a0 (Linux headless replay)
PrimitiveDangling FunctionType& in host callback + stale Wasm register + moved memory64 backing store
ImpactBrowser-reachable native code execution in WebContent from a standalone poc.html page.

Attack Chain

ESM Wasm import → dangling FunctionType → empty host return preserves stale register → array.set native write → leak bases → forged vtable/setcontext → marker file

Mitigation

Host callbacks must own a stable FunctionType copy; enforce host result arity against static callee types; avoid caching raw pointers into user memory64 backing stores in ImageData.

Related Signals

Sources

→ Source