CVE-2026-5316
Remote Resource Allocation Vulnerability in Nothings stb_vorbis.c
Publication date: 2026-04-02
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nothings | stb_vorbis.c | to 1.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5316 is an invalid free vulnerability (CWE-761) in the Ogg Vorbis audio decoder implementation within the nothings/stb project, specifically in the setup_free() function of the stb_vorbis.c file (version up to 1.22).
The issue occurs when processing a specially crafted Ogg Vorbis file with malformed setup headers. This corrupts the internal decoder state, causing setup_free() to attempt to free an invalid pointer during cleanup, which leads to a crash (segmentation fault).
The vulnerability can be triggered remotely by supplying a malicious Ogg Vorbis file, and a proof-of-concept exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability can cause a crash in applications using the vulnerable version of the stb_vorbis.c decoder when processing maliciously crafted Ogg Vorbis audio files.
Such crashes can lead to denial of service (DoS) conditions, potentially disrupting service availability if the affected software is part of a larger system.
Since the exploit is publicly available and the attack can be carried out remotely, attackers could exploit this to crash applications or services that decode Ogg Vorbis audio using the vulnerable library.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the vulnerable Ogg Vorbis decoder with a specially crafted Ogg Vorbis file that triggers the invalid free in the setup_free() function. Using AddressSanitizer (ASAN) during execution can help identify the invalid free and segmentation fault.
A minimal reproduction program (repro.c) is available that loads the crafted file into memory and calls stb_vorbis_decode_memory() to trigger the crash.
- Compile the reproduction program with AddressSanitizer enabled using the command: clang -fsanitize=address -g -O0 repro.c -o repro -lm
- Run the compiled program with the base64-decoded crafted Ogg Vorbis file to observe the invalid free and crash.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5316 vulnerability, immediate steps include avoiding processing untrusted or specially crafted Ogg Vorbis files that could trigger the invalid free in the stb_vorbis decoder.
Since the vulnerability is triggered by malformed setup headers in Ogg Vorbis files, implementing input validation or filtering to detect and reject malformed or suspicious audio files before decoding can reduce risk.
Additionally, running the decoder in a sandboxed or restricted environment can limit the impact of potential crashes caused by this vulnerability.
Currently, no vendor response or patch is available, so monitoring for updates or patches from the vendor or community is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-5316 on compliance with common standards and regulations such as GDPR or HIPAA.