Skip to main content

Stb CVE-2026-5186

| EUVD-2026-17340 LOW
Double Free (CWE-415)
2026-03-31 VulDB GHSA-593x-hf83-hmrv
Information Disclosure Stb
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
4.8 (MEDIUM) 1.9 (LOW)
EUVD ID Assigned
Mar 31, 2026 - 08:00 euvd
EUVD-2026-17340
Analysis Generated
Mar 31, 2026 - 08:00 vuln.today
CVE Published
Mar 31, 2026 - 07:30 nvd
MEDIUM 4.8

DescriptionCVE.org

A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Double free vulnerability in Nothings stb library (up to version 2.30) in the multi-frame GIF file handler function stbi__load_gif_main allows local authenticated attackers to cause information disclosure and memory corruption. Public exploit code is available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment CVSS 5.3 (AV:L/AC:L/PR:L) indicates a local attack requiring low privilege user access with low complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a multi-user system crafts a malicious GIF file and places it in a shared directory or uploads it to an application that uses stb_image.h for processing. When the application or another user's process loads the malicious GIF through stbi__load_gif_main, the double free condition is triggered during multi-frame parsing. …
Remediation Update to stb library version 2.31 or later if released by the vendor, or apply a patched version available from the official repository. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-5186 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy