CVE-2026-8257
Analyzed Analyzed - Analysis Complete
Heap-based Buffer Overflow in Binaryen

Publication date: 2026-05-11

Last updated on: 2026-05-21

Assigner: VulDB

Description
A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. The attack needs to be approached locally. The exploit is now public and may be used. The patch is named 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-21
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8257
EUVD
EUVD-2026-29013
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webassembly binaryen to 117 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the WebAssembly Binaryen tool, specifically in the function IRBuilder::makeBrOn within the BrOn Parser component. It causes an assertion failure when the code processes malformed WebAssembly input where certain fields (`ref` and `desc`) are not valid reference types but instead are of type `i32`. This leads to an unexpected assertion error during the parsing process.

The issue arises because the code expects these fields to be valid reference types or unreachable, but when they are not, the assertion triggers, causing the tool to fail. The vulnerability requires local access to exploit and can cause crashes or unexpected behavior in the Binaryen toolchain.

A patch was created to add validation checks to ensure these fields are valid before proceeding, preventing the assertion failure.

Impact Analysis

This vulnerability can cause the WebAssembly Binaryen tool to crash or behave unexpectedly when processing malformed input. Since the assertion failure occurs locally, an attacker with local access could trigger this condition to disrupt the tool's operation.

The impact is limited to denial of service or instability of the Binaryen toolchain during WebAssembly code compilation or optimization, potentially affecting development or build processes that rely on this tool.

The CVSS scores indicate a low severity, reflecting that the vulnerability requires local access and does not lead to code execution or data compromise.

Detection Guidance

This vulnerability manifests as an assertion failure in the WebAssembly Binaryen toolchain when processing malformed WebAssembly input, specifically in the BrOn parsing functionality.

To detect this issue, you can attempt to reproduce the assertion failure by running the `wasm-ctor-eval` tool on malformed or crafted WebAssembly input files similar to the provided proof-of-concept (PoC) file named `poc`.

A suggested command to detect the vulnerability is:

  • `wasm-ctor-eval poc`

If the tool crashes or triggers an assertion failure related to `wasm::Type::getHeapType()` or the BrOn parser, the vulnerability is present.

Mitigation Strategies

The primary mitigation step is to apply the official patch that addresses this vulnerability.

Specifically, update your WebAssembly Binaryen installation to include the fix introduced in commit `1251efbc1ea471c1311d2726b2bbe061ff2a291c`, which adds validation checks in the BrOn parsing logic to prevent assertion failures.

Until the patch is applied, avoid processing untrusted or malformed WebAssembly input files locally, as the attack requires local access.

Compliance Impact

There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart