CVE-2018-17292
Description
An issue was discovered in WAVM before 2018-09-16. The loadModule function in Include/Inline/CLI.h lacks checking of the file length before a file magic comparison, allowing attackers to cause a Denial of Service (application crash caused by out-of-bounds read) by crafting a file that has fewer than 4 bytes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The loadModule function fails to check the file length before attempting to read the file magic, leading to an out-of-bounds read."
Attack vector
An attacker can trigger this vulnerability by providing a crafted file that contains fewer than 4 bytes to the WAVM loader. This could be an empty file or a file with only a few bytes. The WAVM tool will then attempt to read the file's magic number without validating the file size, causing an out-of-bounds read and a denial of service.
Affected code
The vulnerability exists in the `loadModule` function located in `Include/Inline/CLI.h` [ref_id=1]. Specifically, the code at line 147 is affected, where the file length is not checked before the file magic comparison.
What the fix does
The patch adds a check to ensure the file has at least 4 bytes before attempting to read the magic number. This prevents the out-of-bounds read that occurred when processing files smaller than 4 bytes, thus mitigating the denial of service vulnerability.
Preconditions
- inputA file with fewer than 4 bytes.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/WAVM/WAVM/commit/2de6cf70c5ef31e22ed119a25ac2daeefd3d18a1mitrex_refsource_MISC
- github.com/WAVM/WAVM/issues/109mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.