- ladybird
- wasm
- browser
- rce
- exploitarium
news
Ladybird WebAssembly ESM Host Function RCE PoC
Dangling Wasm FunctionType reference plus memory64 ImageData leak chains to native code execution in WebContent — marker touch /tmp/ladybird_wasm_esm_rce.
Summary
Ladybird's ESM WebAssembly import path passes a stack-local FunctionType by reference into a long-lived host callback; stale result metadata lets array.set consume a forged GC reference and write through attacker-shaped native memory. A separate memory64 ImageData/WebGL leak recovers liblagom-wasm and libc bases for a setcontext chain that executes touch /tmp/ladybird_wasm_esm_rce in the WebContent process. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | Ladybird @ 31bb4d872d802c78ce23d2f273a300f36e8ef6a0 (Linux headless replay) |
| Primitive | Dangling FunctionType& in host callback + stale Wasm register + moved memory64 backing store |
| Impact | Browser-reachable native code execution in WebContent from a standalone poc.html page. |
Attack Chain
ESM Wasm import → dangling FunctionType → empty host return preserves stale register → array.set native write → leak bases → forged vtable/setcontext → marker file
Mitigation
Host callbacks must own a stable FunctionType copy; enforce host result arity against static callee types; avoid caching raw pointers into user memory64 backing stores in ImageData.