CVE-2026-5315
Out-of-Bounds Read in stb_truetype.h TTF Handler
Publication date: 2026-04-02
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nothings | stb_truetype.h | to 1.26 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5315 is a heap-based out-of-bounds read vulnerability in the function stbtt__buf_get8() within the stb_truetype.h library (version up to 1.26) from the nothings/stb project.
This function reads a single byte from a buffer without properly checking if the read position is within the allocated buffer bounds, which leads to reading memory beyond the buffer (heap buffer overflow).
The vulnerability occurs during the parsing of the Compact Font Format (CFF) table when initializing a font, specifically in the font initialization functions stbtt_InitFont_internal() and stbtt_InitFont().
An attacker can trigger this vulnerability remotely by supplying a specially crafted font file that causes the out-of-bounds read.
How can this vulnerability impact me? :
This vulnerability can lead to an out-of-bounds read of heap memory, which may cause application crashes or undefined behavior.
While the vulnerability does not directly allow code execution or privilege escalation, it can be exploited remotely by providing a malicious font file, potentially leading to denial of service or information disclosure depending on the context in which the vulnerable library is used.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running a proof-of-concept (PoC) program that triggers the out-of-bounds read in the stb_truetype.h library. The PoC involves loading a specially crafted font file that causes the vulnerable function stbtt__buf_get8() to read beyond the allocated buffer.
To detect the vulnerability on your system, you can compile and run the provided minimal reproduction program with AddressSanitizer enabled. This will help identify the heap-buffer-overflow error caused by the vulnerability.
- Compile the repro.c program with AddressSanitizer using the command: clang -fsanitize=address -g -O0 repro.c -o repro -lm
- Run the compiled program with the provided base64-encoded font file (poc.ttf.b64) decoded to trigger the vulnerability.
AddressSanitizer will detect the out-of-bounds read during the font initialization process, indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5315 vulnerability, immediate steps include avoiding the use of vulnerable versions of the stb_truetype.h library (version 1.26 and earlier) when processing untrusted font files.
Since the vulnerability is an out-of-bounds read triggered during font initialization, you should consider validating or sanitizing font inputs before processing them with the affected library.
Additionally, monitor for any updates or patches from the vendor or community that address this issue, and apply them as soon as they become available.
If possible, use runtime memory protection tools such as AddressSanitizer during development and testing to detect and prevent exploitation.