N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2pgj-5cv2-6xxw

EPSS Score

CWE

CWE-416

Published

10/8/2025

Updated

10/8/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2pgj-5cv2-6xxw

GHSA-2pgj-5cv2-6xxw: FuelVM is vulnerable to heap memory allocation re-use bug

Impact

A memory safety vulnerability was present in the Fuel Virtual Machine (FuelVM), where memory reads could bypass expected access controls. Specifically, when a smart contract performed a mload (or other opcodes which access memory) on memory that had been deallocated using ret, it was still able to access the old memory contents. This occurred because the memory region was not zeroed out or otherwise marked as invalid. As a result, smart contracts could potentially read sensitive data left over from other contracts if the same memory was reallocated, violating isolation guarantees between contracts and enabling unintended data leakage.

All users running affected versions of FuelVM that relied on strict memory isolation between smart contracts were impacted.

Patches

The vulnerability was patched by modifying the FuelVM to ensure that memory deallocated with ret was zeroed out or made inaccessible. The fix was included in FuelVM version v0.60.1 and back-ported to v0.59.3. This patch was released to the Fuel network on Friday, April 18th, 2025.

Workarounds

There were no reliable workarounds that fully mitigated the vulnerability. While developers could manually zero out sensitive memory regions before returning from a function, this approach was error-prone and could not be enforced at the VM level. Upgrading to a patched version remained the recommended course of action.

References

Fix implemented in the FuelVM GitHub repository (https://github.com/FuelLabs/fuel-vm/pull/941)

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2pgj-5cv2-6xxw

EPSS Score

CWE

CWE-416

Published

10/8/2025

Updated

10/8/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fuel-vm	rust	< 0.59.3	0.59.3
fuel-vm	rust	>= 0.60.0, < 0.60.1	0.60.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security advisory and the associated commit 9c97c2bf782626b35ba48e154f210f91c847a513 points to a 'Use After Free' vulnerability in the FuelVM's memory management. The vulnerability description explicitly states that memory deallocated by ret is not cleared, allowing subsequent memory accesses (mload) to read stale data. The patch is located in fuel-vm/src/interpreter/memory.rs, within the MemoryInstance implementation. The changes introduce code to explicitly zero out the heap (self.heap[..end].fill(0);) before a reallocation occurs. The accompanying test file, allocation_tests.rs, adds tests named memory_instance__grow_heap_by_after_reset__does_not_retain_dirty_memory_size, which confirms that the function being fixed is grow_heap_by. This function is responsible for expanding the heap, and the vulnerability manifests when it reallocates memory without sanitizing the old content. Therefore, fuel_vm::interpreter::memory::MemoryInstance::grow_heap_by is the precise vulnerable function that would appear in a runtime profile during exploitation, as it's the function that fails to enforce memory isolation during heap growth operations.

Vulnerable functions

fuel_vm::interpreter::memory::MemoryInstance::grow_heap_by

fuel-vm/src/interpreter/memory.rs

The vulnerability exists because the `grow_heap_by` function did not properly clear heap memory during reallocation. When a smart contract deallocated memory (e.g., via the `ret` opcode), the memory was not zeroed out. If another contract subsequently requested memory, triggering a heap reallocation via `grow_heap_by`, the old, stale data from the previous contract would be present in the newly allocated memory region. This allowed the new contract to read potentially sensitive data from the previous one, breaking memory isolation guarantees. The `grow_heap_by` function is the runtime indicator as it's responsible for the insecure memory reallocation that exposes the stale data.

WAF Protection Rules

WAF Rule

### Imp**t * m*mory s***ty vuln*r**ility w*s pr*s*nt in t** *u*l Virtu*l M***in* (*u*lVM), w**r* m*mory r***s *oul* *yp*ss *xp**t** ****ss *ontrols. Sp**i*i**lly, w**n * sm*rt *ontr**t p*r*orm** * `mlo**` (or ot**r op*o**s w*i** ****ss m*mory) on m*

Reasoning

T** *n*lysis o* t** provi*** s**urity **visory *n* t** *sso*i*t** *ommit `****************************************` points to * 'Us* **t*r *r**' vuln*r**ility in t** *u*lVM's m*mory m*n***m*nt. T** vuln*r**ility **s*ription *xpli*itly st*t*s t**t m*m

N/A

Basic Information

Concerned about an active attack path?

GHSA-2pgj-5cv2-6xxw: FuelVM is vulnerable to heap memory allocation re-use bug

Impact

Patches

Workarounds

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI