CVE-2026-5316 (GCVE-0-2026-5316)
Vulnerability from cvelistv5 – Published: 2026-04-02 00:00 – Updated: 2026-04-02 18:24
VLAI?
Title
Nothings stb stb_vorbis.c setup_free allocation of resources
Summary
A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Nothings | stb |
Affected:
1.0
Affected: 1.1 Affected: 1.2 Affected: 1.3 Affected: 1.4 Affected: 1.5 Affected: 1.6 Affected: 1.7 Affected: 1.8 Affected: 1.9 Affected: 1.10 Affected: 1.11 Affected: 1.12 Affected: 1.13 Affected: 1.14 Affected: 1.15 Affected: 1.16 Affected: 1.17 Affected: 1.18 Affected: 1.19 Affected: 1.20 Affected: 1.21 Affected: 1.22 |
Credits
d0razi (VulDB User)
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:23:58.665574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:24:28.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "stb",
"vendor": "Nothings",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "1.1"
},
{
"status": "affected",
"version": "1.2"
},
{
"status": "affected",
"version": "1.3"
},
{
"status": "affected",
"version": "1.4"
},
{
"status": "affected",
"version": "1.5"
},
{
"status": "affected",
"version": "1.6"
},
{
"status": "affected",
"version": "1.7"
},
{
"status": "affected",
"version": "1.8"
},
{
"status": "affected",
"version": "1.9"
},
{
"status": "affected",
"version": "1.10"
},
{
"status": "affected",
"version": "1.11"
},
{
"status": "affected",
"version": "1.12"
},
{
"status": "affected",
"version": "1.13"
},
{
"status": "affected",
"version": "1.14"
},
{
"status": "affected",
"version": "1.15"
},
{
"status": "affected",
"version": "1.16"
},
{
"status": "affected",
"version": "1.17"
},
{
"status": "affected",
"version": "1.18"
},
{
"status": "affected",
"version": "1.19"
},
{
"status": "affected",
"version": "1.20"
},
{
"status": "affected",
"version": "1.21"
},
{
"status": "affected",
"version": "1.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "d0razi (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T00:00:18.137Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354648 | Nothings stb stb_vorbis.c setup_free allocation of resources",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354648"
},
{
"name": "VDB-354648 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354648/cti"
},
{
"name": "Submit #780560 | nothings stb (stb_vorbis.c) \u2264 1.22 Free of Pointer not at Start of Buffer",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780560"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/d0razi/cc7f70bba08c1a455d9933e97b8b57c1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-01T14:45:26.000Z",
"value": "VulDB entry last update"
}
],
"title": "Nothings stb stb_vorbis.c setup_free allocation of resources"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5316",
"datePublished": "2026-04-02T00:00:18.137Z",
"dateReserved": "2026-04-01T12:40:09.662Z",
"dateUpdated": "2026-04-02T18:24:28.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-5316",
"date": "2026-04-16",
"epss": "0.00036",
"percentile": "0.1055"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-5316\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2026-04-02T00:16:25.410\",\"lastModified\":\"2026-04-03T16:10:52.680\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://gist.github.com/d0razi/cc7f70bba08c1a455d9933e97b8b57c1\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/submit/780560\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/vuln/354648\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/vuln/354648/cti\",\"source\":\"cna@vuldb.com\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2026-04-02T00:00:18.137Z\"}, \"title\": \"Nothings stb stb_vorbis.c setup_free allocation of resources\", \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"cweId\": \"CWE-770\", \"lang\": \"en\", \"description\": \"Allocation of Resources\"}]}, {\"descriptions\": [{\"type\": \"CWE\", \"cweId\": \"CWE-400\", \"lang\": \"en\", \"description\": \"Resource Consumption\"}]}], \"affected\": [{\"vendor\": \"Nothings\", \"product\": \"stb\", \"versions\": [{\"version\": \"1.0\", \"status\": \"affected\"}, {\"version\": \"1.1\", \"status\": \"affected\"}, {\"version\": \"1.2\", \"status\": \"affected\"}, {\"version\": \"1.3\", \"status\": \"affected\"}, {\"version\": \"1.4\", \"status\": \"affected\"}, {\"version\": \"1.5\", \"status\": \"affected\"}, {\"version\": \"1.6\", \"status\": \"affected\"}, {\"version\": \"1.7\", \"status\": \"affected\"}, {\"version\": \"1.8\", \"status\": \"affected\"}, {\"version\": \"1.9\", \"status\": \"affected\"}, {\"version\": \"1.10\", \"status\": \"affected\"}, {\"version\": \"1.11\", \"status\": \"affected\"}, {\"version\": \"1.12\", \"status\": \"affected\"}, {\"version\": \"1.13\", \"status\": \"affected\"}, {\"version\": \"1.14\", \"status\": \"affected\"}, {\"version\": \"1.15\", \"status\": \"affected\"}, {\"version\": \"1.16\", \"status\": \"affected\"}, {\"version\": \"1.17\", \"status\": \"affected\"}, {\"version\": \"1.18\", \"status\": \"affected\"}, {\"version\": \"1.19\", \"status\": \"affected\"}, {\"version\": \"1.20\", \"status\": \"affected\"}, {\"version\": \"1.21\", \"status\": \"affected\"}, {\"version\": \"1.22\", \"status\": \"affected\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P\", \"baseSeverity\": \"MEDIUM\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 4.3, \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R\", \"baseSeverity\": \"MEDIUM\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 4.3, \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R\", \"baseSeverity\": \"MEDIUM\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 5, \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR\"}}], \"timeline\": [{\"time\": \"2026-04-01T00:00:00.000Z\", \"lang\": \"en\", \"value\": \"Advisory disclosed\"}, {\"time\": \"2026-04-01T02:00:00.000Z\", \"lang\": \"en\", \"value\": \"VulDB entry created\"}, {\"time\": \"2026-04-01T14:45:26.000Z\", \"lang\": \"en\", \"value\": \"VulDB entry last update\"}], \"credits\": [{\"lang\": \"en\", \"value\": \"d0razi (VulDB User)\", \"type\": \"reporter\"}, {\"lang\": \"en\", \"value\": \"VulDB\", \"type\": \"coordinator\"}], \"references\": [{\"url\": \"https://vuldb.com/vuln/354648\", \"name\": \"VDB-354648 | Nothings stb stb_vorbis.c setup_free allocation of resources\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/vuln/354648/cti\", \"name\": \"VDB-354648 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/submit/780560\", \"name\": \"Submit #780560 | nothings stb (stb_vorbis.c) \\u2264 1.22 Free of Pointer not at Start of Buffer\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://gist.github.com/d0razi/cc7f70bba08c1a455d9933e97b8b57c1\", \"tags\": [\"exploit\"]}]}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5316\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T18:23:58.665574Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T18:24:04.708Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-5316\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"VulDB\", \"dateReserved\": \"2026-04-01T12:40:09.662Z\", \"datePublished\": \"2026-04-02T00:00:18.137Z\", \"dateUpdated\": \"2026-04-02T18:24:28.334Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…