CVE-2026-5314
Received Received - Intake
Out-of-Bounds Read in stb_truetype.h Enables Remote Exploit

Publication date: 2026-04-01

Last updated on: 2026-04-30

Assigner: VulDB

Description
A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5314
EUVD
EUVD-2026-18092
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nothings stb_truetype.h to 1.26 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the function stbtt_InitFont_internal within the stb_truetype.h library, which is part of the TTF File Handler component. It allows an attacker to perform a manipulation that results in an out-of-bounds read. This means the program reads memory outside the intended boundaries, which can lead to unexpected behavior or crashes.

The vulnerability can be exploited remotely, and the exploit code has been made public. The vendor was informed early but did not respond.

Impact Analysis

The vulnerability can lead to an out-of-bounds read, which may cause application crashes or potentially expose sensitive information from memory. Since remote exploitation is possible, attackers could exploit this vulnerability over a network without requiring privileges or user interaction.

However, the CVSS scores indicate a relatively low to moderate severity, with the highest base score being 5.0 (v2.0) and lower scores in newer versions, suggesting limited impact in terms of confidentiality and integrity but some impact on availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5314. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart