CVE-2025-14956
Unknown Unknown - Not Provided
Heap-Based Buffer Overflow in WebAssembly Binaryen readExport Function

Publication date: 2025-12-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in WebAssembly Binaryen up to 125. Affected by this issue is the function WasmBinaryReader::readExport of the file src/wasm/wasm-binary.cpp. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: 4f52bff8c4075b5630422f902dd92a0af2c9f398. It is recommended to apply a patch to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14956
EUVD
EUVD-2025-204567
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
webassembly binaryen *
webassembly wasm-opt *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14956 is a heap-based buffer overflow vulnerability in the WebAssembly Binaryen tool, specifically in the wasm-opt utility. It occurs in the function WasmBinaryReader::readExpression in the source file src/wasm/wasm-binary.cpp. When parsing a malformed WebAssembly binary, especially during Data Segment processing, the parser reads one byte beyond the allocated buffer, causing a heap buffer overflow. This happens because the parser does not properly check if there is more input before reading, leading to an out-of-bounds read and potential crash or undefined behavior. [1, 6]

Impact Analysis

This vulnerability can impact you by causing crashes or instability in the wasm-opt tool when processing malformed WebAssembly binaries. Since it is a heap-based buffer overflow, it may also be exploited by an attacker with local access to execute arbitrary code, corrupt memory, or disrupt the confidentiality, integrity, and availability of the affected system. The exploit is publicly available, and the vulnerability is considered moderately severe with an ease of exploitation rated as easy, so it poses a tangible security risk if unpatched. [2, 6]

Detection Guidance

This vulnerability can be detected by running the vulnerable wasm-opt tool with a specially crafted malformed WebAssembly binary that triggers the heap buffer overflow. A reproduction command to detect the issue is `./wasm-opt repro -o /dev/null`, where `repro` is a malformed input file designed to cause the overflow. Additionally, compiling wasm-opt with AddressSanitizer enabled (`-fsanitize=address`) can help detect the heap buffer overflow during testing. Monitoring for crashes or AddressSanitizer reports during wasm-opt execution can indicate the presence of the vulnerability. [1, 6]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch released by the vendor, identified by commit 4f52bff8c4075b5630422f902dd92a0af2c9f398, which fixes the improper input termination handling in the WasmBinaryReader::readExpression function. Users should update their WebAssembly Binaryen tool to a version that includes this fix. Additionally, avoid processing untrusted or malformed WebAssembly binaries locally until the patch is applied to prevent exploitation. [2, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart