CVE-2026-32837
Heap Out-of-Bounds Read in miniaudio WAV BEXT Parser Causes DoS
Publication date: 2026-03-17
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mackron | miniaudio | to 0.11.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-170 | The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32837 is a heap out-of-bounds read vulnerability in the miniaudio library versions 0.11.25 and earlier. It occurs in the WAV BEXT metadata parser, specifically in the handling of the coding history field. The vulnerability arises because the parser does not properly null-terminate the coding history string, causing it to read beyond the allocated memory buffer.
This improper null-termination leads to memory access violations when processing specially crafted WAV files with malformed BEXT chunks. The out-of-bounds read can cause application crashes or denial of service.
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker to cause memory access violations by processing maliciously crafted WAV files. This can lead to application crashes or denial of service, potentially disrupting the normal operation of software using the affected miniaudio library.
Because the vulnerability involves a heap out-of-bounds read, it may also pose a risk of information disclosure, although the primary impact is denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system or application processes WAV files with a Broadcast Extension (bext) chunk containing a coding history field that lacks a null terminator. Specifically, detection involves analyzing WAV files for malformed bext chunks or monitoring applications that use miniaudio version 0.11.25 or earlier for crashes or memory access violations.
A practical approach to detection is to use AddressSanitizer (ASAN) or similar memory error detection tools when running applications that use the vulnerable miniaudio library. ASAN can detect heap-buffer-overflow errors triggered by processing crafted WAV files.
While no specific commands are provided in the resources, you can test for the vulnerability by processing specially crafted WAV files with the vulnerable application under ASAN or other memory debugging tools to observe heap-buffer-overflow errors.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, avoid processing untrusted or potentially malicious WAV files containing bext chunks with malformed coding history fields.
If you maintain or develop software using the miniaudio library, update the code to explicitly write a null terminator after reading the coding history field bytes. This can be done by setting the null terminator at the index corresponding to the number of bytes read.
Alternatively, replace the unsafe call to the custom strlen function with a bounded version that respects the buffer limits, such as `ma_dr_wav__strlen_clamped(pCodingHistory, extraBytes)`.
Applying these code changes or updating to a fixed version of miniaudio will prevent out-of-bounds reads and potential application crashes or denial of service.