CVE-2025-14957Improper Resource Shutdown or Release in Binaryen

CWE-404Improper Resource Shutdown or ReleaseCWE-476NULL Pointer Dereference5 documents5 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 92.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Webassembly BinaryenDebian Binaryen
Timeline
PublishedDec 19

Description

A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is ad

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5webassembly/binaryen125

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
CVE-2025-14957: A vulnerability was identified in WebAssembly Binaryen up to 1252025-12-19
GHSA
GHSA-3h23-rfwm-gcx3: A vulnerability was identified in WebAssembly Binaryen up to 1252025-12-19

📋Vendor Advisories

1
Debian
CVE-2025-14957: binaryen - A vulnerability was identified in WebAssembly Binaryen up to 125. This affects t...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-14957 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14957 — Improper Resource Shutdown or Release | cvebase