Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Heap-based buffer overflow in Nothings stb_image library up to version 2.30 in the stbi__gif_load_next function allows local authenticated attackers to cause memory corruption with limited confidentiality, integrity, and availability impact. Public exploit code is available; however, the vulnerability requires local access and authenticated privilege level, significantly limiting real-world exploitation scope. The vendor has not responded to early disclosure attempts.
Technical ContextAI
stb_image is a popular single-header C library for image loading and processing. The vulnerability exists in the multi-frame GIF file handler component, specifically in the stbi__gif_load_next function within stb_image.h. The root cause is classified as CWE-122 (Heap-based Buffer Overflow), indicating improper bounds checking when processing GIF frame data during sequential frame loading. The heap corruption occurs when parsing specially crafted multi-frame GIF files, allowing memory writes beyond allocated buffer boundaries. This is a memory safety issue inherent to C-based image parsing without robust input validation.
RemediationAI
Upgrade stb_image to a version after 2.30 once the vendor releases a patched version. At the time of this analysis, the vendor has not confirmed patch availability or a specific fix version; monitor the official stb_image repository and VulDB references for release notices. As an interim workaround, disable GIF multi-frame processing in applications, restrict file loading to trusted sources, or implement external GIF validation before passing to stb_image. Developers embedding stb_image should review their use case and privilege model to determine if local authenticated access is realistically possible in their threat model.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 0.0~git20200713.b42009b+ds-1 | - |
| bullseye (security) | vulnerable | 0.0~git20200713.b42009b+ds-1+deb11u1 | - |
| bookworm | vulnerable | 0.0~git20220908.8b5f1f3+ds-1 | - |
| trixie | vulnerable | 0.0~git20241109.5c20573+ds-1 | - |
| forky, sid | vulnerable | 0.0~git20250907.fede005+ds-1 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17337
GHSA-ccf6-mw22-wphc