CVE-2026-5185

Summary

A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
Nothingsstb_image2.0affected
Nothingsstb_image2.1affected
Nothingsstb_image2.2affected
Nothingsstb_image2.3affected
Nothingsstb_image2.4affected
Nothingsstb_image2.5affected
Nothingsstb_image2.6affected
Nothingsstb_image2.7affected
Nothingsstb_image2.8affected
Nothingsstb_image2.9affected
Nothingsstb_image2.10affected
Nothingsstb_image2.11affected
Nothingsstb_image2.12affected
Nothingsstb_image2.13affected
Nothingsstb_image2.14affected
Nothingsstb_image2.15affected
Nothingsstb_image2.16affected
Nothingsstb_image2.17affected
Nothingsstb_image2.18affected
Nothingsstb_image2.19affected
Nothingsstb_image2.20affected
Nothingsstb_image2.21affected
Nothingsstb_image2.22affected
Nothingsstb_image2.23affected
Nothingsstb_image2.24affected
Nothingsstb_image2.25affected
Nothingsstb_image2.26affected
Nothingsstb_image2.27affected
Nothingsstb_image2.28affected
Nothingsstb_image2.29affected
Nothingsstb_image2.30affected

Weaknesses

  • CWE-122: Heap-based Buffer Overflow
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References