Executive Summary

CVE-2026-32837 is a heap out-of-bounds read vulnerability in the miniaudio library versions 0.11.25 and earlier. It occurs in the WAV BEXT metadata parser, specifically in the handling of the coding history field. The vulnerability arises because the parser does not properly null-terminate the coding history string, causing it to read beyond the allocated memory buffer.

This improper null-termination leads to memory access violations when processing specially crafted WAV files with malformed BEXT chunks. The out-of-bounds read can cause application crashes or denial of service.

Useful 0 Not Useful 0

Impact Analysis

Exploiting this vulnerability allows an attacker to cause memory access violations by processing maliciously crafted WAV files. This can lead to application crashes or denial of service, potentially disrupting the normal operation of software using the affected miniaudio library.

Because the vulnerability involves a heap out-of-bounds read, it may also pose a risk of information disclosure, although the primary impact is denial of service.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if your system or application processes WAV files with a Broadcast Extension (bext) chunk containing a coding history field that lacks a null terminator. Specifically, detection involves analyzing WAV files for malformed bext chunks or monitoring applications that use miniaudio version 0.11.25 or earlier for crashes or memory access violations.

A practical approach to detection is to use AddressSanitizer (ASAN) or similar memory error detection tools when running applications that use the vulnerable miniaudio library. ASAN can detect heap-buffer-overflow errors triggered by processing crafted WAV files.

While no specific commands are provided in the resources, you can test for the vulnerability by processing specially crafted WAV files with the vulnerable application under ASAN or other memory debugging tools to observe heap-buffer-overflow errors.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, avoid processing untrusted or potentially malicious WAV files containing bext chunks with malformed coding history fields.

If you maintain or develop software using the miniaudio library, update the code to explicitly write a null terminator after reading the coding history field bytes. This can be done by setting the null terminator at the index corresponding to the number of bytes read.

Alternatively, replace the unsafe call to the custom strlen function with a bounded version that respects the buffer limits, such as `ma_dr_wav__strlen_clamped(pCodingHistory, extraBytes)`.

Applying these code changes or updating to a fixed version of miniaudio will prevent out-of-bounds reads and potential application crashes or denial of service.

Useful 0 Not Useful 0