CVE-2025-14958
Unknown Unknown - Not Provided
Heap-Based Buffer Overflow in sokol_gfx.h _sg_pipeline_common_init

Publication date: 2025-12-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in floooh sokol up to 33e2271c431bf21de001e972f72da17a984da932. This vulnerability affects the function _sg_pipeline_common_init in the library sokol_gfx.h. Performing manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The patch is named 33e2271c431bf21de001e972f72da17a984da932. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14958
EUVD
EUVD-2025-204579
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
floooh sokol *
floooh sokol_gfx *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14958 is a heap-based buffer overflow vulnerability in the sokol_gfx library, specifically in the function _sg_pipeline_common_init. The issue occurs due to improper pointer arithmetic or indexing that causes a write operation to an invalid memory address before the allocated heap buffer. This out-of-bounds write can corrupt heap metadata or adjacent data structures, leading to undefined behavior or security risks. The vulnerability is triggered locally during pipeline initialization and was confirmed using AddressSanitizer on a Linux x86_64 environment. [1, 4, 5]

Impact Analysis

This vulnerability can compromise the confidentiality, integrity, and availability of the affected system by corrupting heap memory. An attacker with local access can exploit this heap buffer overflow to cause crashes, execute arbitrary code, or escalate privileges. Since the exploit is publicly available and considered easy to exploit, it poses a significant security risk if the system is not patched. [1, 5]

Detection Guidance

This vulnerability can be detected by compiling the sokol test harness with AddressSanitizer enabled (using the compiler flag -fsanitize=address) and running a fuzzer harness with specific inputs that trigger the heap buffer overflow during pipeline creation. AddressSanitizer logs will report invalid writes to memory addresses outside the allocated heap buffer, indicating the presence of the vulnerability. There are no specific network detection commands since the attack requires local access and occurs during local pipeline initialization. Example detection involves building the sokol_gfx code with ASAN and running tests to observe heap-buffer-overflow errors. [1, 4]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit 33e2271c431bf21de001e972f72da17a984da932, which fixes the assertion in the _sg_pipeline_common_init function to properly validate the buffer_index and prevent out-of-bounds writes. Users should update their sokol_gfx library to include this patch. Since the product uses a rolling release model, ensure you have the latest version containing this fix. Additionally, restrict local access to trusted users only, as exploitation requires local privileges. [3, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart