Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

WebAssembly/spec
main @ d7b37e4
12
Fixes
0
CVEs
HIGH
Peak severity
Highlights
Auth Bypass: 3 prior fixes. Scrutinize any change in this area.
interpreter/exec/eval.ml: most-fixed (3 issues). Treat as high-risk during review.
11 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Integer Overflow: Integer overflow in memory growth and address calculation (e.g., wrap-around on addition or memory resizing) can bypass safety bounds, resulting in arbitrary out-of-bounds memory accesses inside the interpreter.
Type Confusion: Subtyping mismatches, improper direction checks on indirect calls, and insufficient local variable validation can trick execution engines into executing mismatched function types, breaking type safety guarantees.
Out-of-Bounds Write: Using signed instead of unsigned comparison during table or memory boundaries calculations allows negative bounds to bypass checks, causing out-of-bounds writes during range mutations.