CVE-2018-16764
Description
In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Virtual Machine may cause a denial of service (application crash) or possibly have unspecified other impact because of an IR::FunctionValidationContext::catch_all heap-based buffer over-read.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=2018-07-26
Patches
Vulnerability mechanics
Root cause
"A heap-based buffer over-read occurs in IR::FunctionValidationContext::catch_all when parsing a crafted WebAssembly file."
Attack vector
An attacker can trigger this vulnerability by sending a specially crafted WebAssembly file to the WAVM application. The malformed file causes an out-of-bounds read during the parsing process, leading to a crash. The specific function involved is `IR::FunctionValidationContext::catch_all(IR::NoImm)` [ref_id=1].
Affected code
The vulnerability resides within the `IR::FunctionValidationContext::catch_all` function, which is called during the serialization and validation of WebAssembly code sections. The crash occurs due to a heap-based buffer over-read when processing a malformed input file [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. The recommended remediation is to update WAVM to a version that addresses this issue, though specific version information is not provided.
Preconditions
- inputThe attacker must provide a crafted WebAssembly file.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/AndrewScheidecker/WAVM/issues/93mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.