CVE-2025-15013
Stack-Based Buffer Overflow in sokol_gfx.h _sg_validate_pipeline_desc
Publication date: 2025-12-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| floooh | sokol | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15013 is a stack-based buffer overflow vulnerability in the floooh sokol project's sokol_gfx library, specifically in the function _sg_validate_pipeline_desc within sokol_gfx.h. The issue arises from an off-by-one error in the validation logic of the sg_pipeline_desc structure, where the code reads beyond the allocated stack buffer during pipeline creation. This overflow occurs locally when the function attempts to access an array element out of bounds, leading to a read overflow of 4 bytes. The vulnerability can cause undefined behavior, crashes, or memory corruption. A patch fixing the boundary check was released to prevent this overflow. [3, 5, 6]
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption due to out-of-bounds reads on the stack, potentially causing application crashes or exploitable conditions. It impacts the confidentiality, integrity, and availability of the system by allowing a local attacker to trigger a stack buffer overflow. Although the attack requires local access, a public proof-of-concept exploit is available, making it easier to exploit. The impact includes possible system instability or compromise of sensitive data handled by the affected software. [5, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by compiling the sokol test harness with AddressSanitizer (ASAN) enabled and running a fuzzer or specific repro input that triggers the stack buffer overflow in the _sg_validate_pipeline_desc function. The ASAN report will show a stack-buffer-overflow error at the relevant line in sokol_gfx.h. Example detection steps include: 1) Compile sokol with Clang using flags -O0 -g -fsanitize=address. 2) Run the test harness or fuzzing tool to trigger the overflow. There are no specific network commands since the attack requires local access and is triggered during pipeline creation in the library. Thus, detection is primarily via dynamic analysis with ASAN during testing or debugging. [3, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability can lead to compromise of confidentiality, integrity, and availability of the system due to a stack-based buffer overflow exploitable by a local attacker. Such impacts on data security and system reliability could affect compliance with standards like GDPR and HIPAA, which require protection of sensitive data and system integrity. However, no specific compliance implications or regulatory impacts are detailed in the provided resources. [6]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch identified by commit b95c5245ba357967220c9a860c7578a7487937b0 in the sokol_gfx.h file. This patch adds an assertion to enforce proper bounds checking on color attachment indices in the _sg_validate_pipeline_desc function, preventing out-of-bounds access and the stack buffer overflow. Since the product uses a rolling release system, updating to the latest patched version containing this commit is recommended. Additionally, avoid running untrusted local code that uses the vulnerable sokol_gfx library until patched. [2, 5, 6]