CVE-2026-5317

Summary

A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
Nothingsstb1.0affected
Nothingsstb1.1affected
Nothingsstb1.2affected
Nothingsstb1.3affected
Nothingsstb1.4affected
Nothingsstb1.5affected
Nothingsstb1.6affected
Nothingsstb1.7affected
Nothingsstb1.8affected
Nothingsstb1.9affected
Nothingsstb1.10affected
Nothingsstb1.11affected
Nothingsstb1.12affected
Nothingsstb1.13affected
Nothingsstb1.14affected
Nothingsstb1.15affected
Nothingsstb1.16affected
Nothingsstb1.17affected
Nothingsstb1.18affected
Nothingsstb1.19affected
Nothingsstb1.20affected
Nothingsstb1.21affected
Nothingsstb1.22affected

Weaknesses

  • CWE-787: Out-of-bounds Write
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References