CVE-2026-4009
Received Received - Intake
Out-of-Bounds Read in jarikomppa soloud WAV File Parser

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in jarikomppa soloud up to 20200207. Impacted is the function drwav_read_pcm_frames_s16__msadpcm in the library src/audiosource/wav/dr_wav.h of the component WAV File Parser. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. Upgrading to version 20200207 is recommended to address this issue. It is recommended to upgrade the affected component. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4009
EUVD
EUVD-2026-11542
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jarikomppa soloud to 20200207 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-4009 is an out-of-bounds read vulnerability found in the jarikomppa soloud audio library, specifically in the function drwav_read_pcm_frames_s16__msadpcm within the WAV File Parser component (src/audiosource/wav/dr_wav.h).

This vulnerability occurs when the function reads memory beyond the intended buffer boundaries, either before or after the buffer, which can lead to unexpected behavior or crashes.

The issue requires local access to exploit and is considered easy to exploit, with a public proof-of-concept exploit available.

Upgrading to version 20200207 of soloud is recommended to fix this vulnerability.

Impact Analysis

This vulnerability can impact the availability of the affected system by causing crashes due to out-of-bounds memory reads.

Additionally, it may expose sensitive memory content when processing maliciously crafted WAV files, posing a security risk.

Since the attack requires local access, an attacker must have some level of access to the system to exploit it.

Detection Guidance

This vulnerability can be detected by reproducing the out-of-bounds read condition locally on the affected system. Since the exploit requires local access and involves processing a specially crafted MSADPCM WAV file, detection involves running a test harness with AddressSanitizer (ASan) enabled to catch invalid memory reads.

Suggested detection steps include building the SoLoud audio library and a provided test harness with ASan enabled, then running the harness with a malicious WAV file designed to trigger the vulnerability. The ASan report will indicate an invalid read if the vulnerability is present.

  • Build SoLoud with ASan: `clang -fsanitize=address -g -o test_harness test_harness.c -lsoLoud` (example command)
  • Run the test harness with the crafted WAV file: `./test_harness malicious.wav`

Monitoring system logs or crash reports for AddressSanitizer errors related to `drwav_read_pcm_frames_s16__msadpcm` can also help detect exploitation attempts.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade the affected SoLoud audio library to version 20200207 or later, where this vulnerability has been fixed.

Since the attack requires local access, restricting local user permissions and limiting access to systems running vulnerable versions can reduce risk.

Avoid processing untrusted or malicious MSADPCM WAV files until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart