CVE-2026-5316

Summary

A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
Nothingsstb1.0affected
Nothingsstb1.1affected
Nothingsstb1.2affected
Nothingsstb1.3affected
Nothingsstb1.4affected
Nothingsstb1.5affected
Nothingsstb1.6affected
Nothingsstb1.7affected
Nothingsstb1.8affected
Nothingsstb1.9affected
Nothingsstb1.10affected
Nothingsstb1.11affected
Nothingsstb1.12affected
Nothingsstb1.13affected
Nothingsstb1.14affected
Nothingsstb1.15affected
Nothingsstb1.16affected
Nothingsstb1.17affected
Nothingsstb1.18affected
Nothingsstb1.19affected
Nothingsstb1.20affected
Nothingsstb1.21affected
Nothingsstb1.22affected

Weaknesses

  • CWE-770: Allocation of Resources
  • CWE-400: Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References