CVE-2026-5317
Out-of-Bounds Write in Nothings stb_vorbis.c Enables Remote Attack
Publication date: 2026-04-02
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nothings | stb_vorbis.c | to 1.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5317 is a critical heap buffer overflow vulnerability in the stb_vorbis.c library (version up to 1.22), specifically in the start_decoder() function.
The issue arises due to an integer overflow during the allocation of the comment list array. The length of this list is derived from untrusted Vorbis header data, and the multiplication to calculate the allocation size overflows, causing a much smaller buffer to be allocated than intended.
Subsequently, a loop writes a very large number of entries into this undersized buffer, resulting in massive heap corruption through out-of-bounds writes.
This heap corruption can be exploited by attackers using techniques like tcache poisoning or chunk overlap to achieve arbitrary code execution or other malicious effects.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to perform out-of-bounds writes on the heap, leading to extensive heap corruption.
Exploitation of this flaw can enable attackers to execute arbitrary code, potentially taking control of the affected system or causing denial of service.
Because the vulnerability can be triggered remotely and the exploit is publicly available, the risk of attack is significant if the vulnerable library is used in your environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using a crafted Vorbis file that triggers the heap buffer overflow in the stb_vorbis library. A minimal test program (repro.c) is available which decodes a specially crafted Vorbis file (poc.ogg) using the vulnerable function stb_vorbis_decode_memory().
To detect the overflow, compile the test program with AddressSanitizer (ASAN) enabled. ASAN will report heap-buffer-overflow errors during execution of the test program.
- Compile repro.c with ASAN: gcc -fsanitize=address repro.c -o repro
- Run the test program with the crafted Vorbis file: ./repro poc.ogg
If the vulnerability is present, ASAN will output heap-buffer-overflow errors indicating the out-of-bounds write in start_decoder().
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-5317 on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5317 vulnerability, immediate steps include avoiding the use of untrusted or malicious Vorbis audio files that could trigger the heap buffer overflow in the stb_vorbis library.
Since the vendor has not responded and no patch is mentioned, consider applying input validation or sandboxing techniques to limit the impact of potentially malicious files.
Additionally, monitoring for updates or patches from the vendor or community and applying them as soon as they become available is recommended.