EUVD-2026-18114Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security flaw has been discovered in Nothings stb up to 1.22. This affects the function start_decoder of the file stb_vorbis.c. The manipulation results in out-of-bounds write. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Out-of-bounds write in Nothings stb library up to version 1.22 allows remote attackers to corrupt memory and potentially execute code by crafting malicious Vorbis audio files that trigger improper bounds checking in the start_decoder function. Publicly available exploit code exists for this vulnerability, which affects all applications statically linking vulnerable stb_vorbis.c code. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | CVSS 6.3 (Medium) with network attack vector and no privileges required indicates moderate severity, though the CVSS Environmental rating (E:P) reflects proof-of-concept availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user running a game or multimedia application that embeds stb_vorbis.c version 1.22 is socially engineered to download a malicious .ogg or .vorbis audio file from a compromised website or file-sharing service. When the application attempts to play or import the file, the start_decoder function processes the specially crafted Vorbis header and writes out-of-bounds into adjacent memory, potentially overwriting function pointers or return addresses. … |
| Remediation | Users must update to stb library version 1.23 or later if such a release addressing this flaw is available; however, the vendor's non-responsiveness to disclosure suggests checking the official Nothings stb GitHub repository (https://github.com/nothings/stb) for the latest version and any security advisories. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 0.0~git20200713.b42009b+ds-1 | - |
| bullseye (security) | vulnerable | 0.0~git20200713.b42009b+ds-1+deb11u1 | - |
| bookworm | vulnerable | 0.0~git20220908.8b5f1f3+ds-1 | - |
| trixie | vulnerable | 0.0~git20241109.5c20573+ds-1 | - |
| forky, sid | vulnerable | 0.0~git20250907.fede005+ds-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today