WebAssembly Binaryen Null Pointer Dereference Vulnerability in IRBuilder Component

A null pointer dereference vulnerability has been identified in WebAssembly Binaryen versions through 125. This issue arises in the IRBuilder component, specifically within the functions 'makeLocalGet', 'makeLocalSet', and 'makeLocalTee', located in 'src/wasm/wasm-ir-builder.cpp'. The vulnerability is triggered by manipulating the 'Index' argument, leading to a segmentation fault. This issue requires local access to exploit and has a public proof-of-concept available.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced using the 'wasm-opt' tool included with Binaryen. After building Binaryen with the 'Release' configuration (excluding assertions) and with AddressSanitizer enabled, 'wasm-opt' can be run with a crafted WebAssembly binary that triggers the null pointer dereference. The AddressSanitizer will report the segmentation fault, indicating that the vulnerability has been successfully exploited.

Remediation

Users are advised to update to the latest version of WebAssembly Binaryen, where this vulnerability has been fixed.