Bug 2373934 (CVE-2025-6274)

Summary: CVE-2025-6274 wabt: WebAssembly wabt excess resource consumption
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erack, gotiwari, jhorak, mvyas, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial-of-service vulnerability has been identified in WebAssembly's WebAssembly Binary Toolkit (wabt), specifically within the OnDataCount function. This flaw allows an attacker with local access to trigger runaway resource consumption (for example, excessive memory or CPU usage) by manipulating input provided to this function. This uncontrolled resource use can lead to the host operating system terminating the affected process, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2374060, 2374062    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-19 20:01:10 UTC 
A vulnerability was found in WebAssembly wabt up to 1.0.37. It has been classified as problematic. Affected is the function OnDataCount of the file src/interp/binary-reader-interp.cc. The manipulation leads to resource consumption. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. A similar issue reported during the same timeframe was disputed by the code maintainer because it might not affect "real world wasm programs". Therefore, this entry might get disputed as well in the future.