CVE-2026-5186

Summary

A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
Nothingsstb2.0affected
Nothingsstb2.1affected
Nothingsstb2.2affected
Nothingsstb2.3affected
Nothingsstb2.4affected
Nothingsstb2.5affected
Nothingsstb2.6affected
Nothingsstb2.7affected
Nothingsstb2.8affected
Nothingsstb2.9affected
Nothingsstb2.10affected
Nothingsstb2.11affected
Nothingsstb2.12affected
Nothingsstb2.13affected
Nothingsstb2.14affected
Nothingsstb2.15affected
Nothingsstb2.16affected
Nothingsstb2.17affected
Nothingsstb2.18affected
Nothingsstb2.19affected
Nothingsstb2.20affected
Nothingsstb2.21affected
Nothingsstb2.22affected
Nothingsstb2.23affected
Nothingsstb2.24affected
Nothingsstb2.25affected
Nothingsstb2.26affected
Nothingsstb2.27affected
Nothingsstb2.28affected
Nothingsstb2.29affected
Nothingsstb2.30affected

Weaknesses

  • CWE-415: Double Free
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References