CVE-2026-5315

MEDIUM 4.3

Nothings stb TTF File stb_truetype.h stbtt__buf_get8 out-of-bounds

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

10th

A vulnerability was determined in Nothings stb up to 1.26. The affected element is the function stbtt__buf_get8 in the library stb_truetype.h of the component TTF File Handler. Executing a manipulation can lead to out-of-bounds read. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-125 CWE-119
Vendor	nothings
Product	stb
Published	Apr 1, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for nothings stb

Be the first to know when new medium vulnerabilities affecting nothings stb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Nothings / stb

1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 1.26

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/354647 vuldb.com: https://vuldb.com/vuln/354647/cti vuldb.com: https://vuldb.com/submit/780559 gist.github.com: https://gist.github.com/d0razi/c11dd07c75f3b795e4f8bbfd6e2f0d29

Credits

🔍 d0razi (VulDB User) VulDB