Nixpkgs security tracker

Untriaged

Permalink CVE-2026-8257

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 2 weeks, 1 day ago Activity log

Created suggestion 2 weeks, 1 day ago

WebAssembly Binaryen BrOn wasm-ir-builder.cpp makeBrOn assertion

A vulnerability was detected in WebAssembly Binaryen up to 117. This issue affects the function IRBuilder::makeBrOn of the file src/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing a manipulation results in reachable assertion. The attack needs to be approached locally. The exploit is now public and may be used. The patch is named 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to install a patch to address this issue.

References

VDB-362554 | WebAssembly Binaryen BrOn wasm-ir-builder.cpp makeBrOn assertion technical-descriptionvdb-entry
VDB-362554 | CTI Indicators (IOB, IOC, IOA) permissions-requiredsignature
Submit #809552 | WebAssembly Community Binaryen main branch commit 3ef8d19 (v117 development version, vulnerable version before fix commit 1251efb) Fixed version: commit 1251ef Assertion Failure, Denial of Service (Local DoS) third-party-advisory
https://github.com/WebAssembly/binaryen/issues/8633 issue-tracking
https://github.com/WebAssembly/binaryen/pull/8635 issue-trackingpatch
https://github.com/HackC0der/CVE-Repos/blob/main/wasm-binaryen/Assertion_Failur… exploitpatch
https://github.com/WebAssembly/binaryen/commit/1251efbc1ea471c1311d2726b2bbe061… patch
https://github.com/WebAssembly/binaryen/ product

Affected products

Binaryen

==117

Matching in nixpkgs

pkgs.binaryen

Compiler infrastructure and toolchain library for WebAssembly, in C++

nixos-unstable 129
- nixpkgs-unstable 129
- nixos-unstable-small 129
nixos-25.11 126
- nixos-25.11-small 126
- nixpkgs-25.11-darwin 126

pkgs.haskellPackages.binaryen

Haskell bindings to binaryen

nixos-unstable 0.0.6.0
- nixpkgs-unstable 0.0.6.0
- nixos-unstable-small 0.0.6.0
nixos-25.11 0.0.6.0
- nixos-25.11-small 0.0.6.0
- nixpkgs-25.11-darwin 0.0.6.0

Package maintainers

@willcohen Will Cohen