CVE-2025-14958
Heap-Based Buffer Overflow in sokol_gfx.h _sg_pipeline_common_init
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| floooh | sokol | * |
| floooh | sokol_gfx | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14958 is a heap-based buffer overflow vulnerability in the sokol_gfx library, specifically in the function _sg_pipeline_common_init. The issue occurs due to improper pointer arithmetic or indexing that causes a write operation to an invalid memory address before the allocated heap buffer. This out-of-bounds write can corrupt heap metadata or adjacent data structures, leading to undefined behavior or security risks. The vulnerability is triggered locally during pipeline initialization and was confirmed using AddressSanitizer on a Linux x86_64 environment. [1, 4, 5]
How can this vulnerability impact me? :
This vulnerability can compromise the confidentiality, integrity, and availability of the affected system by corrupting heap memory. An attacker with local access can exploit this heap buffer overflow to cause crashes, execute arbitrary code, or escalate privileges. Since the exploit is publicly available and considered easy to exploit, it poses a significant security risk if the system is not patched. [1, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by compiling the sokol test harness with AddressSanitizer enabled (using the compiler flag -fsanitize=address) and running a fuzzer harness with specific inputs that trigger the heap buffer overflow during pipeline creation. AddressSanitizer logs will report invalid writes to memory addresses outside the allocated heap buffer, indicating the presence of the vulnerability. There are no specific network detection commands since the attack requires local access and occurs during local pipeline initialization. Example detection involves building the sokol_gfx code with ASAN and running tests to observe heap-buffer-overflow errors. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the patch identified by commit 33e2271c431bf21de001e972f72da17a984da932, which fixes the assertion in the _sg_pipeline_common_init function to properly validate the buffer_index and prevent out-of-bounds writes. Users should update their sokol_gfx library to include this patch. Since the product uses a rolling release model, ensure you have the latest version containing this fix. Additionally, restrict local access to trusted users only, as exploitation requires local privileges. [3, 5]