CVE-2026-5317
Received Received - Intake
Out-of-Bounds Write in Nothings stb_vorbis.c Enables Remote Attack

Publication date: 2026-04-02

Last updated on: 2026-04-30

Assigner: VulDB

Description
A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5317
EUVD
EUVD-2026-18114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nothings stb_vorbis.c to 1.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5317 is a critical heap buffer overflow vulnerability in the stb_vorbis.c library (version up to 1.22), specifically in the start_decoder() function.

The issue arises due to an integer overflow during the allocation of the comment list array. The length of this list is derived from untrusted Vorbis header data, and the multiplication to calculate the allocation size overflows, causing a much smaller buffer to be allocated than intended.

Subsequently, a loop writes a very large number of entries into this undersized buffer, resulting in massive heap corruption through out-of-bounds writes.

This heap corruption can be exploited by attackers using techniques like tcache poisoning or chunk overlap to achieve arbitrary code execution or other malicious effects.

Impact Analysis

This vulnerability allows remote attackers to perform out-of-bounds writes on the heap, leading to extensive heap corruption.

Exploitation of this flaw can enable attackers to execute arbitrary code, potentially taking control of the affected system or causing denial of service.

Because the vulnerability can be triggered remotely and the exploit is publicly available, the risk of attack is significant if the vulnerable library is used in your environment.

Detection Guidance

This vulnerability can be detected by using a crafted Vorbis file that triggers the heap buffer overflow in the stb_vorbis library. A minimal test program (repro.c) is available which decodes a specially crafted Vorbis file (poc.ogg) using the vulnerable function stb_vorbis_decode_memory().

To detect the overflow, compile the test program with AddressSanitizer (ASAN) enabled. ASAN will report heap-buffer-overflow errors during execution of the test program.

  • Compile repro.c with ASAN: gcc -fsanitize=address repro.c -o repro
  • Run the test program with the crafted Vorbis file: ./repro poc.ogg

If the vulnerability is present, ASAN will output heap-buffer-overflow errors indicating the out-of-bounds write in start_decoder().

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-5317 on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the CVE-2026-5317 vulnerability, immediate steps include avoiding the use of untrusted or malicious Vorbis audio files that could trigger the heap buffer overflow in the stb_vorbis library.

Since the vendor has not responded and no patch is mentioned, consider applying input validation or sandboxing techniques to limit the impact of potentially malicious files.

Additionally, monitoring for updates or patches from the vendor or community and applying them as soon as they become available is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5317. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart