Denial of Service Vulnerability in WAVM by WAVM Inc.
CVE-2018-17292

6.5MEDIUM

Key Information:

Vendor

Webassembly Virtual Machine Project

Status
Webassembly Virtual Machine
Vendor
CVE Published:
21 September 2018

What is CVE-2018-17292?

A vulnerability has been identified in WAVM due to inadequate validation in the loadModule function, specifically in Include/Inline/CLI.h. This oversight allows attackers to exploit the module loading process by supplying a file with fewer than 4 bytes. As a result, the function performs a file magic comparison without ensuring that the required length is met, potentially leading to an application crash through an out-of-bounds read. Attackers can leverage this flaw to create malicious files that induce Denial of Service conditions in affected installations.

References

https://github.com/WAVM/WAVM/commit/2de6cf70c5ef31e22ed11...
x_refsource_MISC
https://github.com/WAVM/WAVM/issues/109
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2018-17292 : Denial of Service Vulnerability in WAVM by WAVM Inc.