Skip to main content

WebAssembly Binaryen CVE-2026-8257

| EUVDEUVD-2026-29013 LOW
Reachable Assertion (CWE-617)
2026-05-11 VulDB GHSA-gmmj-chcc-2f2x
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 11, 2026 - 02:22 NVD
3.3 (LOW) 1.9 (LOW)
Source Code Evidence Fetched
May 11, 2026 - 02:00 vuln.today
Analysis Generated
May 11, 2026 - 02:00 vuln.today
CVE Published
May 11, 2026 - 00:30 nvd
LOW 3.3

DescriptionCVE.org

A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. The attack needs to be approached locally. The exploit is now public and may be used. The patch is named 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to install a patch to address this issue.

AnalysisAI

Denial of service via reachable assertion in WebAssembly Binaryen up to version 117 allows local attackers with low privileges to crash the BrOn parser component by providing malformed WebAssembly bytecode that triggers an unhandled assertion in the IRBuilder::makeBrOn function, with publicly available exploit code and vendor patch already released.

Technical ContextAI

Binaryen is the WebAssembly compiler and toolchain library that parses and processes WebAssembly intermediate representation (IR). The vulnerability exists in the IRBuilder::makeBrOn function within src/wasm/wasm-ir-builder.cpp, which handles the br_on* family of WebAssembly branch instructions that conditionally branch based on runtime type checks. The root cause is a CWE-617 (Reachable Assertion) - the function fails to validate that operand types are references (ref) before processing them, causing an assertion failure when non-reference types are provided in crafted WebAssembly modules. The br_on instructions (br_on_cast, br_on_cast_fail, br_on_non_null, br_on_null) require reference-typed operands per WebAssembly specification, but the parser did not enforce this validation, allowing malicious or malformed WASM input to trigger unprotected assertion checks rather than graceful error handling.

RemediationAI

Install the patched version of Binaryen with commit 1251efbc1ea471c1311d2726b2bbe061ff2a291c or later from the official WebAssembly Binaryen repository (https://github.com/WebAssembly/binaryen). Update build systems and CI/CD pipelines that depend on Binaryen to pull the latest release that includes this fix. If immediate patching is not feasible, restrict local access to Binaryen toolchain executables to trusted users only and implement input validation in any systems that accept untrusted WebAssembly modules - specifically, validate that br_on* instructions reference only reference-typed operands before passing modules to Binaryen. Monitor build logs for assertion failures in wasm-ir-builder.cpp as an indicator of exploitation attempts. The patch validates that operands to br_on* instructions are properly typed as references, replacing assertion failures with graceful error returns.

CVE-2021-45290 HIGH POC
7.5 Dec 21

A Denial of Service vulnerability exits in Binaryen 103 due to an assertion abort in wasm::handle_unreachable. Rated hig

CVE-2019-15759 MEDIUM POC
6.5 Aug 29

An issue was discovered in Binaryen 1.38.32. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitabl

CVE-2019-15758 MEDIUM POC
6.5 Aug 29

An issue was discovered in Binaryen 1.38.32. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitabl

CVE-2019-7704 MEDIUM POC
6.5 Feb 10

wasm::WasmBinaryBuilder::readUserSection in wasm-binary.cpp in Binaryen 1.38.22 triggers an attempt at excessive memory

CVE-2019-7703 MEDIUM POC
6.5 Feb 10

In Binaryen 1.38.22, there is a use-after-free problem in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp. Rated m

CVE-2019-7702 MEDIUM POC
6.5 Feb 10

A NULL pointer dereference was discovered in wasm::SExpressionWasmBuilder::parseExpression in wasm-s-parser.cpp in Binar

CVE-2019-7701 MEDIUM POC
6.5 Feb 10

A heap-based buffer over-read was discovered in wasm::SExpressionParser::skipWhitespace() in wasm-s-parser.cpp in Binary

CVE-2019-7700 MEDIUM POC
6.5 Feb 10

A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp in Binaryen 1.38.2

CVE-2019-7662 MEDIUM POC
6.5 Feb 09

An assertion failure was discovered in wasm::WasmBinaryBuilder::getType() in wasm-binary.cpp in Binaryen 1.38.22. Rated

CVE-2019-7154 MEDIUM POC
6.5 Jan 29

The main function in tools/wasm2js.cpp in Binaryen 1.38.22 has a heap-based buffer overflow because Emscripten is misuse

CVE-2019-7153 MEDIUM POC
6.5 Jan 29

A NULL pointer dereference was discovered in wasm::WasmBinaryBuilder::processFunctions() in wasm/wasm-binary.cpp (when c

CVE-2019-7152 MEDIUM POC
6.5 Jan 29

A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilder::processFunctions() in wasm/wasm-binary.cpp (whe

Share

CVE-2026-8257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy