CVE-2026-3393
Received Received - Intake
Heap-Based Buffer Overflow in jarikomppa soloud Audio Handler

Publication date: 2026-03-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in jarikomppa soloud up to 20200207. The impacted element is the function SoLoud::Wav::loadflac of the file src/audiosource/wav/soloud_wav.cpp of the component Audio File Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3393
EUVD
EUVD-2026-9128
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
solhsa soloud to 2020-02-07 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3393 is a heap-based buffer overflow vulnerability found in the jarikomppa soloud audio library, specifically in the function SoLoud::Wav::loadflac within the file src/audiosource/wav/soloud_wav.cpp. This flaw occurs when the function improperly handles input data while loading FLAC audio files embedded in WAV containers or loaded from memory, causing a write operation beyond the allocated heap buffer.

The overflow happens due to incorrect bounds checking or buffer size miscalculation during FLAC data parsing, leading to memory corruption in the heap area. Exploitation requires local access, meaning an attacker must have local system privileges to trigger the vulnerability. The issue has been publicly disclosed with proof-of-concept exploits available, but no patches or mitigations have been provided yet.

Impact Analysis

This vulnerability can impact system availability by causing crashes or instability in applications using the SoLoud audio library when processing crafted FLAC audio files. The heap-based buffer overflow can lead to memory corruption, which might result in application crashes or potentially allow an attacker with local access to execute arbitrary code.

Since exploitation requires local privileges, remote attackers cannot exploit this vulnerability directly. However, if an attacker gains local access, they could leverage this flaw to disrupt audio processing or escalate their privileges through further exploitation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to load crafted FLAC audio files embedded in WAV containers or loaded from memory using the SoLoud audio library's functions, specifically SoLoud::Wav::loadflac or loadMem. Detection involves reproducing the heap-based buffer overflow or crashes using a test harness that reads an input file into memory and calls the vulnerable functions."}, {'type': 'paragraph', 'content': 'A practical approach is to use the publicly available proof-of-concept exploit and test harness that triggers the overflow and crash, which can be run on a Linux x86_64 system with AddressSanitizer (ASAN) enabled to detect invalid memory writes.'}, {'type': 'paragraph', 'content': 'Suggested commands include compiling the SoLoud library with ASAN enabled and running the test harness with crafted audio files to observe crashes or ASAN reports. For example:'}, {'type': 'list_item', 'content': 'Compile SoLoud with ASAN: `clang++ -fsanitize=address -g -O1 -o test_harness test_harness.cpp`'}, {'type': 'list_item', 'content': 'Run the test harness with a crafted FLAC-in-WAV file: `./test_harness crafted_audio.wav`'}, {'type': 'paragraph', 'content': 'Monitoring logs for AddressSanitizer output indicating heap-buffer-overflow or segmentation faults during audio file loading is key to detecting the vulnerability.'}] [1, 4, 5]

Mitigation Strategies

Currently, there are no known patches or countermeasures provided by the vendor or maintainers of the SoLoud audio library for this vulnerability.

Immediate mitigation steps include avoiding the use of the affected versions of the SoLoud library (up to 20200207) especially in environments where local users could exploit this vulnerability.

Consider replacing or upgrading to alternative audio libraries that do not contain this vulnerability.

Restrict local access to systems running the vulnerable software to trusted users only, as exploitation requires local privileges.

Monitor for any updates or patches from the vendor or community and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart