CVE-2026-5315

Summary

A vulnerability was determined in Nothings stb up to 1.26. The affected element is the function stbtt__buf_get8 in the library stb_truetype.h of the component TTF File Handler. Executing a manipulation can lead to out-of-bounds read. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
Nothingsstb1.0affected
Nothingsstb1.1affected
Nothingsstb1.2affected
Nothingsstb1.3affected
Nothingsstb1.4affected
Nothingsstb1.5affected
Nothingsstb1.6affected
Nothingsstb1.7affected
Nothingsstb1.8affected
Nothingsstb1.9affected
Nothingsstb1.10affected
Nothingsstb1.11affected
Nothingsstb1.12affected
Nothingsstb1.13affected
Nothingsstb1.14affected
Nothingsstb1.15affected
Nothingsstb1.16affected
Nothingsstb1.17affected
Nothingsstb1.18affected
Nothingsstb1.19affected
Nothingsstb1.20affected
Nothingsstb1.21affected
Nothingsstb1.22affected
Nothingsstb1.23affected
Nothingsstb1.24affected
Nothingsstb1.25affected
Nothingsstb1.26affected

Weaknesses

  • CWE-125: Out-of-Bounds Read
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References