Description
A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. The attack needs to be approached locally. The exploit is now public and may be used. The patch is named 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to install a patch to address this issue.
Published: 2026-05-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A failure in the Binaryen library’s IRBuilder::makeBrOn function can trigger an assertion when supplied with malformed input, causing the process using Binaryen to abort. The description indicates that this assertion is reachable and that the exploit is local, meaning an attacker must have some local access to the system running Binaryen. The vulnerability is associated with CWE-617, an input validation issue, and is rated with a CVSS score of 4.8, indicating moderate severity.

Affected Systems

The vulnerable component is WebAssembly Binaryen, versions up through 117. The issue resides in the "src/wasm/wasm‑ir‑builder.cpp" file, specifically the BrOn parser. Only installations of Binaryen that have not applied the patch commit 1251efbc1ea471c1311d2726b2bbe061ff2a291c are affected.

Risk and Exploitability

The CVSS score of 4.8 reflects the local nature and moderate impact of the bug. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Because the attack requires local access, the likelihood of exploitation is limited to users who can execute code with privileges sufficient to invoke Binaryen functions. The available public patch mitigates the issue by disabling the vulnerable assertion path.

Generated by OpenCVE AI on May 11, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch commit 1251efbc1ea471c1311d2726b2bbe061ff2a291c to Binaryen or upgrade to a version that includes this fix
  • Restart all services that link to the patched Binaryen library so the changes take effect
  • Check application logs for any assertion failures to confirm the vulnerability is no longer exploitable

Generated by OpenCVE AI on May 11, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. The attack needs to be approached locally. The exploit is now public and may be used. The patch is named 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to install a patch to address this issue.
Title WebAssembly Binaryen BrOn wasm-ir-builder.cpp makeBrOn assertion
First Time appeared Webassembly
Webassembly binaryen
Weaknesses CWE-617
CPEs cpe:2.3:a:webassembly:binaryen:*:*:*:*:*:*:*:*
Vendors & Products Webassembly
Webassembly binaryen
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Webassembly Binaryen
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T00:30:13.661Z

Reserved: 2026-05-10T14:57:05.580Z

Link: CVE-2026-8257

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T02:16:27.090

Modified: 2026-05-11T02:16:27.090

Link: CVE-2026-8257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T02:30:25Z

Weaknesses