CVE-2026-5317

Published: Apr 2, 2026Modified: Apr 30, 2026

2.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected (1)

Products: Nothings: Stb Vorbis.c

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nothings Stb Vorbis.c	Up to 1.22

Related CWEs

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (4)

https://gist.github.com/d0razi/2ff8a0e812f74dd6fe7f2843931bb90c

Source: cna@vuldb.com

ExploitThird Party Advisory

https://vuldb.com/submit/780561

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/vuln/354649

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/vuln/354649/cti

Source: cna@vuldb.com

Permissions RequiredVDB Entry

Timeline

No history available yet.