CVE-2026-32836

Summary

dr_libs dr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, 4f5a4cd, and 663239a) contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.

Affected Software

VendorProductVersion RangeStatus
mackrondr_libs dr_flac.h0 <= 0.13.3affected
mackrondr_libs dr_flac.hfefced4a64adfb1a68a2d31d882366e56096dee8unaffected
mackrondr_libs dr_flac.h4f5a4cd3b57564d969443c580c75857e039f100aunaffected
mackrondr_libs dr_flac.h663239a3d0460c33bd5b6e5166edcb404e3df676unaffected

Weaknesses

  • CWE-789: CWE-789 Memory allocation with excessive size value

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References