CVE-2025-14956 – This CVE describes a heap-based buffer overflow... (How to Fix)

Q: What is the severity of CVE-2025-14956?

CVE-2025-14956 has a CVSS score of 5.3 (MEDIUM). This CVE describes a heap-based buffer overflow vulnerability in WebAssembly Binaryen's WasmBinaryReader::readExport function. Attackers can exploit this to potentially execute arbitrary code or cause denial of service on systems running vulnerable versions. The vulnerability affects local hosts where Binaryen processes untrusted WebAssembly modules.

📋 TL;DR

This CVE describes a heap-based buffer overflow vulnerability in WebAssembly Binaryen's WasmBinaryReader::readExport function. Attackers can exploit this to potentially execute arbitrary code or cause denial of service on systems running vulnerable versions. The vulnerability affects local hosts where Binaryen processes untrusted WebAssembly modules.

💻 Affected Systems

Products:

WebAssembly Binaryen

Versions: All versions up to 125

Operating Systems: All platforms running Binaryen

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems that process WebAssembly modules using Binaryen's binary reader functionality.

📦 What is this software?

Binaryen by Webassembly

View all CVEs affecting Binaryen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crash or denial of service when processing malicious WebAssembly modules.

🟢

If Mitigated

Limited impact with proper sandboxing and input validation, potentially just application instability.

🌐 Internet-Facing: LOW (requires local host access for exploitation)

🏢 Internal Only: MEDIUM (internal systems processing untrusted WebAssembly could be vulnerable)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires crafting malicious WebAssembly binary and local access to trigger the buffer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 4f52bff8c4075b5630422f902dd92a0af2c9f398 and later

Vendor Advisory: https://github.com/WebAssembly/binaryen/commit/4f52bff8c4075b5630422f902dd92a0af2c9f398

Restart Required: Yes

Instructions:

1. Update Binaryen to version after commit 4f52bff8c4075b5630422f902dd92a0af2c9f398. 2. Rebuild any applications using Binaryen. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of WebAssembly binary inputs before processing with Binaryen.

Sandbox Execution

linux

Run Binaryen in a sandboxed environment with limited privileges.

docker run --security-opt=no-new-privileges --cap-drop=ALL -it binaryen

🧯 If You Can't Patch

Isolate Binaryen processing to dedicated, non-privileged systems with network segmentation.
Implement strict monitoring for abnormal process behavior or crashes when processing WebAssembly modules.

🔍 How to Verify

Check if Vulnerable:

Check Binaryen version: binaryen --version should show version <= 125 or commit hash before 4f52bff8c4075b5630422f902dd92a0af2c9f398.

Check Version:

binaryen --version

Verify Fix Applied:

Verify Binaryen version > 125 or commit includes 4f52bff8c4075b5630422f902dd92a0af2c9f398. Test with known malicious WebAssembly module to ensure no crash.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault logs from Binaryen processes
Abnormal termination of WebAssembly processing services

Network Indicators:

Unusual local process communication patterns when WebAssembly modules are processed

SIEM Query:

process.name:"binaryen" AND (event.action:"segmentation_fault" OR event.action:"crash")

📊 Metadata

CVE ID: CVE-2025-14956

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

Published: December 19, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/WebAssembly/binaryen/
https://github.com/WebAssembly/binaryen/commit/4f52bff8c4075b5630422f902dd92a0af2c9f398 Patch
https://github.com/WebAssembly/binaryen/issues/8089 Exploit,Issue Tracking,Third Party Advisory
https://github.com/WebAssembly/binaryen/pull/8092 Issue Tracking
https://github.com/oneafter/1204/blob/main/hbf Not Applicable
https://vuldb.com/?ctiid.337592 Permissions Required,VDB Entry
https://vuldb.com/?id.337592 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.717315 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14956, you might also want to check these: