CVE-2026-5314

Published: Apr 1, 2026Modified: Apr 30, 2026

2.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected (1)

Products: Nothings: Stb Truetype.h

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nothings Stb Truetype.h	Up to 1.26

Related CWEs

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

References (4)

https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848

Source: cna@vuldb.com

ExploitThird Party Advisory

https://vuldb.com/submit/780558

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/vuln/354646

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/vuln/354646/cti

Source: cna@vuldb.com

Permissions RequiredVDB Entry

Timeline

No history available yet.