Executive Summary

CVE-2026-32836 is an uncontrolled memory allocation vulnerability in the dr_libs library (version 0.13.3 and earlier), specifically in the function drflac__read_and_decode_metadata(). This function processes FLAC audio metadata, particularly the PICTURE metadata block.

The vulnerability arises because the function reads attacker-controlled fields mimeLength and descriptionLength from the PICTURE metadata block and allocates memory based on these values before verifying that they fit within the actual size of the metadata block. This allows an attacker to supply crafted FLAC streams with extremely large mimeLength or descriptionLength values, causing the program to request excessive memory allocation.

Because the bounds checks occur after the memory allocation calls, this can lead to out-of-memory conditions or crashes, enabling denial of service attacks through memory exhaustion.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) condition on systems using vulnerable versions of dr_libs when processing malicious FLAC streams.

Specifically, an attacker can craft FLAC metadata with manipulated mimeLength and descriptionLength fields that trigger excessive memory allocation requests, potentially exhausting system memory and causing the application or system to crash or become unresponsive.

The attack requires local access (local attack vector) but does not require privileges or user interaction, and it has a high impact on availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when processing FLAC streams with metadata callbacks enabled, specifically in the PICTURE metadata block parsing. Detection involves identifying usage of vulnerable dr_libs versions (0.13.3 and earlier) that call drflac__read_and_decode_metadata() with a non-NULL metadata callback.

Since the vulnerability is triggered by crafted FLAC files containing malicious PICTURE metadata blocks, detection can include monitoring for abnormal memory allocation or crashes when processing FLAC audio files.

No specific detection commands are provided in the resources. However, you can attempt to reproduce the issue by running the vulnerable application with crafted FLAC files that contain oversized mimeLength or descriptionLength fields in the PICTURE metadata block, as demonstrated by the standalone reproducer mentioned in Resource 1.

For practical detection, you might use debugging tools like GDB to monitor memory allocation calls in the vulnerable function or use fuzzing tools such as libFuzzer targeting drflac_open_memory_with_metadata to identify triggering inputs.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves avoiding the use of vulnerable versions of dr_libs (version 0.13.3 and earlier) when processing FLAC streams with metadata callbacks enabled.

If you maintain software that uses dr_libs, disable or avoid passing non-NULL metadata callbacks to functions like drflac_open_*_with_metadata(), as the vulnerability is only exploitable when metadata callbacks are active.

Apply the suggested fix from Resource 1, which involves adding bounds checks for mimeLength and descriptionLength fields before memory allocation in the drflac__read_and_decode_metadata() function. This fix prevents excessive memory allocation requests.

Monitor for updates or patches from the dr_libs project and apply them promptly once available.

Useful 0 Not Useful 0