Skip to content
Tech News
← Back to articles

All the bugs they found

2026-05-19 | original
read original get Bug Tracking Software → more articles
Why This Matters

The discovery of over 20 security vulnerabilities, including sandbox escapes, in the Epsilon WASM runtime highlights the ongoing challenges of ensuring security in sandboxed execution environments. This underscores the importance of rigorous testing and validation in the development of embeddable runtimes, especially as they become more prevalent in handling potentially untrusted code. For consumers and developers, these findings emphasize the need for continuous security assessments to prevent exploitation and protect sensitive data.

Key Takeaways

All the bugs they found

2026-05-18

Last year I wrote a small WASM runtime in Go, Epsilon. As far as runtimes go, this is a pretty simple one: no JIT, just a pure instruction interpreter in ~11k lines of code. It is also very extensively tested against the official WASM testsuite.

Epsilon is designed to be embeddable in other applications and provide a sandbox for potentially untrusted code.

How many security vulnerabilities do you think AI agents found in it?

More than 20.

Most of these were somewhat simple DoS attacks, e.g. panics during parsing or validation. Some were clear API design failures that would probably have surfaced sooner with a bit more usage of the project. A few weren't exploitable on their own, but would become serious if combined with a future bug elsewhere.

A handful, though, were properly interesting: sandbox escapes that let a malicious WASM module break out of its isolation and reach into another module's private state. These are my favorites.

Background

A single Epsilon runtime can host multiple WASM modules. In the WASM security model, modules are isolated except for explicitly exported (and imported) objects. Unexported functions, memories, etc., are private to the module that defined them.

... continue reading

Explore topics: wasm epsilon wasm runtime sandbox escape security vulnerabilities
Related:
Ubiquiti patches three max severity UniFi OS vulnerabilities
Make ZIP files smaller with ZIP Shrinker
New macOS vulnerabilities were exposed by Anthropic’s Mythos: report
CERT is releasing six CVEs for serious security vulnerabilities in dnsmasq
iOS 26.5 has fixes for 50+ security issues on iPhone, details here

© 2026 GoKawiil

About | Editorial Policy | Contact