{ "threat_severity" : "Moderate", "public_date" : "2026-01-01T19:32:07Z", "bugzilla" : { "description" : "wabt: WebAssembly wabt: Memory corruption vulnerability in wasm-decompile component", "id" : "2426683", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426683" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-119", "details" : [ "A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.", "A flaw was found in WebAssembly wabt. A local attacker could exploit a vulnerability in the `wasm-decompile` component by manipulating the `InsertNode` function. This could lead to memory corruption, potentially allowing the attacker to gain unauthorized access or cause system instability. An exploit for this vulnerability has been made public." ], "statement" : "This vulnerability is rated Moderate as memory corruption flaw exists in the `wasm-decompile` component of WebAssembly Binary Toolkit (wabt), which can be exploited by a local attacker. This issue affects components like `wabt`, `firefox`, and `thunderbird` in Red Hat Enterprise Linux and Fedora.", "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-15411\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15411\nhttps://github.com/WebAssembly/wabt/issues/2679\nhttps://github.com/oneafter/1208/blob/main/af1\nhttps://vuldb.com/?ctiid.339332\nhttps://vuldb.com/?id.339332\nhttps://vuldb.com/?submit.719825" ], "name" : "CVE-2025-15411", "csaw" : false }