Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. The attack needs to be approached locally. The exploit is now public and may be used. The patch is named 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to install a patch to address this issue.
AnalysisAI
Denial of service via reachable assertion in WebAssembly Binaryen up to version 117 allows local attackers with low privileges to crash the BrOn parser component by providing malformed WebAssembly bytecode that triggers an unhandled assertion in the IRBuilder::makeBrOn function, with publicly available exploit code and vendor patch already released.
Technical ContextAI
Binaryen is the WebAssembly compiler and toolchain library that parses and processes WebAssembly intermediate representation (IR). The vulnerability exists in the IRBuilder::makeBrOn function within src/wasm/wasm-ir-builder.cpp, which handles the br_on* family of WebAssembly branch instructions that conditionally branch based on runtime type checks. The root cause is a CWE-617 (Reachable Assertion) - the function fails to validate that operand types are references (ref) before processing them, causing an assertion failure when non-reference types are provided in crafted WebAssembly modules. The br_on instructions (br_on_cast, br_on_cast_fail, br_on_non_null, br_on_null) require reference-typed operands per WebAssembly specification, but the parser did not enforce this validation, allowing malicious or malformed WASM input to trigger unprotected assertion checks rather than graceful error handling.
RemediationAI
Install the patched version of Binaryen with commit 1251efbc1ea471c1311d2726b2bbe061ff2a291c or later from the official WebAssembly Binaryen repository (https://github.com/WebAssembly/binaryen). Update build systems and CI/CD pipelines that depend on Binaryen to pull the latest release that includes this fix. If immediate patching is not feasible, restrict local access to Binaryen toolchain executables to trusted users only and implement input validation in any systems that accept untrusted WebAssembly modules - specifically, validate that br_on* instructions reference only reference-typed operands before passing modules to Binaryen. Monitor build logs for assertion failures in wasm-ir-builder.cpp as an indicator of exploitation attempts. The patch validates that operands to br_on* instructions are properly typed as references, replacing assertion failures with graceful error returns.
A Denial of Service vulnerability exits in Binaryen 103 due to an assertion abort in wasm::handle_unreachable. Rated hig
An issue was discovered in Binaryen 1.38.32. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitabl
An issue was discovered in Binaryen 1.38.32. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitabl
wasm::WasmBinaryBuilder::readUserSection in wasm-binary.cpp in Binaryen 1.38.22 triggers an attempt at excessive memory
In Binaryen 1.38.22, there is a use-after-free problem in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp. Rated m
A NULL pointer dereference was discovered in wasm::SExpressionWasmBuilder::parseExpression in wasm-s-parser.cpp in Binar
A heap-based buffer over-read was discovered in wasm::SExpressionParser::skipWhitespace() in wasm-s-parser.cpp in Binary
A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp in Binaryen 1.38.2
An assertion failure was discovered in wasm::WasmBinaryBuilder::getType() in wasm-binary.cpp in Binaryen 1.38.22. Rated
The main function in tools/wasm2js.cpp in Binaryen 1.38.22 has a heap-based buffer overflow because Emscripten is misuse
A NULL pointer dereference was discovered in wasm::WasmBinaryBuilder::processFunctions() in wasm/wasm-binary.cpp (when c
A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilder::processFunctions() in wasm/wasm-binary.cpp (whe
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29013
GHSA-gmmj-chcc-2f2x