CVE-2025-15412
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webassembly wabt to 1.0.39 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15412 is a memory corruption vulnerability in the WebAssembly Binary Toolkit (WABT) up to version 1.0.39, specifically in the wasm-decompile tool's function wabt::Decompiler::VarName. It occurs when the tool processes malformed WebAssembly binaries and attempts to resolve variable names, leading to an out-of-bounds read or wild pointer dereference. This causes a segmentation fault (crash) due to accessing invalid memory addresses. The vulnerability requires local access to exploit and has a publicly available proof-of-concept. The project currently lacks an active maintainer and no official patches exist. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by causing a denial of service through a crash of the wasm-decompile tool when processing malformed WebAssembly binaries. The out-of-bounds read can compromise system stability and potentially affect confidentiality, integrity, and availability of the affected system. Since the exploit is easy to perform locally and a proof-of-concept is publicly available, attackers with local access could disrupt operations or cause memory corruption. [1, 2]

Detection Guidance

This vulnerability can be detected by reproducing the crash using a specially crafted malformed WebAssembly binary with the vulnerable wasm-decompile tool. On a Linux x86_64 system, build the wasm-decompile tool with AddressSanitizer enabled using the command: `make clang-release-asan CMAKE_FLAGS="-DCMAKE_BUILD_TYPE=Release -DUSE_ASAN=ON -DCMAKE_CXX_FLAGS_RELEASE=-DNDEBUG"`. Then run the command `./wasm-decompile ./repro` where `repro` is the malformed binary triggering the out-of-bounds read and segmentation fault. Monitoring for segmentation faults or crashes during decompilation indicates the presence of the vulnerability. [2, 3]

Mitigation Strategies

Immediate mitigation steps are limited as no official patches or countermeasures are available due to the lack of an active maintainer. It is recommended to avoid using the vulnerable versions of wabt (up to 1.0.39) and consider replacing the wasm-decompile component with an alternative product. Restrict local access to systems running the vulnerable tool to prevent exploitation. Monitoring for updates or community patches is advised. [1]

Compliance Impact

The provided resources do not contain information regarding the impact of CVE-2025-15412 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart