CVE-2026-3394
Received Received - Intake
Memory Corruption in jarikomppa soloud WAV File Parser

Publication date: 2026-03-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in jarikomppa soloud up to 20200207. This affects the function SoLoud::Wav::loadwav of the file src/audiosource/wav/soloud_wav.cpp of the component WAV File Parser. Performing a manipulation results in memory corruption. The attack must be initiated from a local position. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3394
EUVD
EUVD-2026-9129
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
solhsa soloud to 2020-02-07 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3394 is a memory corruption vulnerability in the jarikomppa soloud audio library, specifically in the function SoLoud::Wav::loadwav within the WAV File Parser component. It occurs due to improper handling of memory buffers when processing WAV files, allowing reads or writes outside the intended buffer boundaries. This can lead to a segmentation fault or memory corruption.

The vulnerability can be triggered locally by manipulating a crafted WAV file input, causing the audio engine to crash or potentially allowing further exploitation. The issue affects versions of soloud up to 20200207 and remains unpatched.

Impact Analysis

This vulnerability can impact you by causing memory corruption in the soloud audio library when processing specially crafted WAV files. This can lead to application crashes (segmentation faults), resulting in denial of service or reduced system availability.

Since the attack requires local access, an attacker must have the ability to run or supply malicious WAV files locally. Exploitation is considered easy, and a proof-of-concept exploit is publicly available, increasing the risk.

No known mitigations or patches exist, so affected users should consider alternative products or avoid using vulnerable versions to reduce risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the SoLoud audio library's WAV file parser with specially crafted WAV files that trigger memory corruption in the function SoLoud::Wav::loadwav."}, {'type': 'paragraph', 'content': 'A practical detection method involves building the SoLoud library with AddressSanitizer (ASan) enabled and running a test harness that loads a crafted WAV file to observe if a segmentation fault or memory corruption occurs.'}, {'type': 'paragraph', 'content': 'Example commands to detect the vulnerability include:'}, {'type': 'list_item', 'content': 'Build SoLoud with ASan enabled (using Clang): clang++ -fsanitize=address -O2 -g -o test_harness harness.cpp -lsoLoud'}, {'type': 'list_item', 'content': 'Run the test harness with a crafted WAV file: ./test_harness crafted.wav'}, {'type': 'paragraph', 'content': 'If the program crashes with a segmentation fault or ASan reports an invalid memory write inside SoLoud::Wav::loadwav, the vulnerability is present.'}] [3]

Mitigation Strategies

Currently, there are no known patches or countermeasures provided by the vendor or project for this vulnerability.

Immediate mitigation steps include:

  • Avoid using the affected versions of the jarikomppa soloud library (up to 20200207) until a fix is released.
  • Consider replacing the soloud library with alternative audio libraries that do not have this vulnerability.
  • Restrict local access to systems running the vulnerable software to trusted users only, as exploitation requires local access.

Monitoring for suspicious local activity and limiting the ability to load untrusted WAV files can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3394. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart