CVE-2025-14957

CVE-2025-14957

Name

CVE-2025-14957

Description

A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
patch	https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4
issue-tracking	https://github.com/WebAssembly/binaryen/issues/8090
issue-tracking	https://github.com/WebAssembly/binaryen/pull/8099
exploit	https://github.com/oneafter/1204/blob/main/af1
signature	https://vuldb.com/?ctiid.337593
vdb-entry	https://vuldb.com/?id.337593
third-party-advisory	https://vuldb.com/?submit.717317
third-party-advisory	https://vuldb.com/?submit.717319

Type

URI

patch

https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4

issue-tracking

https://github.com/WebAssembly/binaryen/issues/8090

issue-tracking

https://github.com/WebAssembly/binaryen/pull/8099

exploit

https://github.com/oneafter/1204/blob/main/af1

signature

https://vuldb.com/?ctiid.337593

vdb-entry

https://vuldb.com/?id.337593

third-party-advisory

https://vuldb.com/?submit.717317

third-party-advisory

https://vuldb.com/?submit.717319

CPE URI	Source package	Min version	Max version
	binaryen	== 125	== None
`cpe:2.3:a:webassembly:binaryen::::::::`	binaryen	>= None	<= 125

CPE URI

Source package

Min version

Max version

binaryen

== 125

== None

cpe:2.3:a:webassembly:binaryen:*:*:*:*:*:*:*:*

binaryen

>= None

<= 125

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
binaryen	edge-community	123-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	edge-community	123-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	edge-community	121-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	edge-community	121-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	edge-community	121-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	edge-community	120-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	3.23-community	123-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	3.22-community	123-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
binaryen	3.22-community	120-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

binaryen

edge-community

123-r1

Jakub Jirutka <jakub@jirutka.cz>

possibly vulnerable

binaryen

edge-community