CVE-2026-5317

MEDIUM 6.3

Nothings stb stb_vorbis.c start_decoder out-of-bounds write

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

10th

A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-787 CWE-119
Vendor	nothings
Product	stb
Published	Apr 2, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for nothings stb

Be the first to know when new medium vulnerabilities affecting nothings stb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Nothings / stb

1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/354649 vuldb.com: https://vuldb.com/vuln/354649/cti vuldb.com: https://vuldb.com/submit/780561 gist.github.com: https://gist.github.com/d0razi/2ff8a0e812f74dd6fe7f2843931bb90c

Credits

🔍 d0razi (VulDB User) VulDB