Skip to main content

Stb Image CVE-2026-5185

| EUVDEUVD-2026-17337 LOW
Heap-based Buffer Overflow (CWE-122)
2026-03-31 VulDB GHSA-ccf6-mw22-wphc
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
4.8 (MEDIUM) 1.9 (LOW)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 07:00 euvd
EUVD-2026-17337
Analysis Generated
Mar 31, 2026 - 07:00 vuln.today
CVE Published
Mar 31, 2026 - 06:45 nvd
MEDIUM 4.8

DescriptionCVE.org

A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Heap-based buffer overflow in Nothings stb_image library up to version 2.30 in the stbi__gif_load_next function allows local authenticated attackers to cause memory corruption with limited confidentiality, integrity, and availability impact. Public exploit code is available; however, the vulnerability requires local access and authenticated privilege level, significantly limiting real-world exploitation scope. The vendor has not responded to early disclosure attempts.

Technical ContextAI

stb_image is a popular single-header C library for image loading and processing. The vulnerability exists in the multi-frame GIF file handler component, specifically in the stbi__gif_load_next function within stb_image.h. The root cause is classified as CWE-122 (Heap-based Buffer Overflow), indicating improper bounds checking when processing GIF frame data during sequential frame loading. The heap corruption occurs when parsing specially crafted multi-frame GIF files, allowing memory writes beyond allocated buffer boundaries. This is a memory safety issue inherent to C-based image parsing without robust input validation.

RemediationAI

Upgrade stb_image to a version after 2.30 once the vendor releases a patched version. At the time of this analysis, the vendor has not confirmed patch availability or a specific fix version; monitor the official stb_image repository and VulDB references for release notices. As an interim workaround, disable GIF multi-frame processing in applications, restrict file loading to trusted sources, or implement external GIF validation before passing to stb_image. Developers embedding stb_image should review their use case and privilege model to determine if local authenticated access is realistically possible in their threat model.

Vendor StatusVendor

Debian

libstb
Release Status Fixed Version Urgency
bullseye vulnerable 0.0~git20200713.b42009b+ds-1 -
bullseye (security) vulnerable 0.0~git20200713.b42009b+ds-1+deb11u1 -
bookworm vulnerable 0.0~git20220908.8b5f1f3+ds-1 -
trixie vulnerable 0.0~git20241109.5c20573+ds-1 -
forky, sid vulnerable 0.0~git20250907.fede005+ds-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium

Share

CVE-2026-5185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy