CVE-2026-5316
Received Received - Intake
Remote Resource Allocation Vulnerability in Nothings stb_vorbis.c

Publication date: 2026-04-02

Last updated on: 2026-04-30

Assigner: VulDB

Description
A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5316
EUVD
EUVD-2026-18110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nothings stb_vorbis.c to 1.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5316 is an invalid free vulnerability (CWE-761) in the Ogg Vorbis audio decoder implementation within the nothings/stb project, specifically in the setup_free() function of the stb_vorbis.c file (version up to 1.22).

The issue occurs when processing a specially crafted Ogg Vorbis file with malformed setup headers. This corrupts the internal decoder state, causing setup_free() to attempt to free an invalid pointer during cleanup, which leads to a crash (segmentation fault).

The vulnerability can be triggered remotely by supplying a malicious Ogg Vorbis file, and a proof-of-concept exploit is publicly available.

Impact Analysis

This vulnerability can cause a crash in applications using the vulnerable version of the stb_vorbis.c decoder when processing maliciously crafted Ogg Vorbis audio files.

Such crashes can lead to denial of service (DoS) conditions, potentially disrupting service availability if the affected software is part of a larger system.

Since the exploit is publicly available and the attack can be carried out remotely, attackers could exploit this to crash applications or services that decode Ogg Vorbis audio using the vulnerable library.

Detection Guidance

This vulnerability can be detected by running the vulnerable Ogg Vorbis decoder with a specially crafted Ogg Vorbis file that triggers the invalid free in the setup_free() function. Using AddressSanitizer (ASAN) during execution can help identify the invalid free and segmentation fault.

A minimal reproduction program (repro.c) is available that loads the crafted file into memory and calls stb_vorbis_decode_memory() to trigger the crash.

  • Compile the reproduction program with AddressSanitizer enabled using the command: clang -fsanitize=address -g -O0 repro.c -o repro -lm
  • Run the compiled program with the base64-decoded crafted Ogg Vorbis file to observe the invalid free and crash.
Mitigation Strategies

To mitigate the CVE-2026-5316 vulnerability, immediate steps include avoiding processing untrusted or specially crafted Ogg Vorbis files that could trigger the invalid free in the stb_vorbis decoder.

Since the vulnerability is triggered by malformed setup headers in Ogg Vorbis files, implementing input validation or filtering to detect and reject malformed or suspicious audio files before decoding can reduce risk.

Additionally, running the decoder in a sandboxed or restricted environment can limit the impact of potential crashes caused by this vulnerability.

Currently, no vendor response or patch is available, so monitoring for updates or patches from the vendor or community is recommended.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-5316 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart