sokol Graphics Library CVE-2025-15013
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in floooh sokol up to 5d11344150973f15e16d3ec4ee7550a73fb995e0. The impacted element is the function _sg_validate_pipeline_desc in the library sokol_gfx.h. Such manipulation leads to stack-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is b95c5245ba357967220c9a860c7578a7487937b0. It is best practice to apply a patch to resolve this issue.
AnalysisAI
Stack-based buffer overflow in sokol_gfx.h function _sg_validate_pipeline_desc allows local authenticated attackers to corrupt stack memory with limited confidentiality and integrity impact. The vulnerability affects sokol up to commit 5d11344150973f15e16d3ec4ee7550a73fb995e0, with patch commit b95c5245ba357967220c9a860c7578a7487937b0 available. Publicly available exploit code exists, though EPSS exploitation probability remains very low at 0.03%, indicating limited real-world attack surface.
Technical ContextAI
Sokol is a header-only C graphics library providing cross-platform abstraction for graphics APIs. The vulnerable function _sg_validate_pipeline_desc in sokol_gfx.h performs validation of graphics pipeline descriptors without proper bounds checking on stack buffers. The CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) classification indicates the core issue is insufficient validation of buffer boundaries during pipeline descriptor processing. This validation function is called during graphics pipeline initialization, which occurs early in graphics setup workflows. The library uses a rolling release model via GitHub commits rather than traditional versioned releases, making patch tracking dependent on Git commit hashes.
Affected ProductsAI
Sokol graphics library versions up to commit 5d11344150973f15e16d3ec4ee7550a73fb995e0 are affected. Because sokol uses a rolling release model without traditional version numbers, affected releases cannot be enumerated by version string. The library is distributed as a header-only C library via GitHub (github.com/floooh/sokol). Users should identify their local commit hash and determine if it is earlier than the patching commit b95c5245ba357967220c9a860c7578a7487937b0.
RemediationAI
Update sokol to commit b95c5245ba357967220c9a860c7578a7487937b0 or later via git pull and rebuild. Because sokol is header-only, the patch requires only replacing the sokol_gfx.h header file and recompiling dependent applications. Verify the applied commit hash using 'git log --oneline' and confirm b95c5245 is present. For developers unable to immediately update, restrict pipeline descriptor creation to trusted code paths and validate descriptor structures before passing to _sg_validate_pipeline_desc if custom descriptor construction occurs. The patch itself addresses buffer bounds validation, so no behavioral workarounds are available. Reference: https://github.com/floooh/sokol/pull/246 and https://github.com/seyhajin/sokol/commit/b95c5245ba357967220c9a860c7578a7487937b0
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today