Bug 2373919 (CVE-2025-6273)

Summary: CVE-2025-6273 wabt: WebAssembly wabt reachable assertion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erack, gotiwari, jhorak, mvyas, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial-of-service vulnerability has been identified in WebAssembly's WebAssembly Binary Toolkit (wabt), specifically within the LogOpcode function. This flaw allows an attacker with local access to trigger a program crash by manipulating input data, leading to a reachable assertion in the code path if the exception is improperly handled. Successful exploitation could impact the availability of applications or services that process WebAssembly binaries using wabt.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2374061, 2374063    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-19 19:01:13 UTC 
A vulnerability was found in WebAssembly wabt up to 1.0.37 and classified as problematic. This issue affects the function LogOpcode of the file src/binary-reader-objdump.cc. The manipulation leads to reachable assertion. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains that this issue might not affect "real world wasm programs".