CVE-2026-32836
MediumCVSS 6.2Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
The dr_libs dr_flac.h library version 0.13.3 and earlier has an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata(). Attackers can supply crafted PICTURE metadata blocks with controlled mimeLength and descriptionLength fields, leading to excessive memory allocation.
Risk Assessment
The risk is memory exhaustion (denial of service) when processing FLAC streams with metadata callbacks, potentially disrupting applications using this library.
Recommendation
Immediately update dr_flac.h to a version containing the fixes (commits fefced4, 4f5a4cd, 663239a) or apply a patch limiting the maximum memory allocation size for mimeLength and descriptionLength fields.
Original NVD description (English source)
dr_libs dr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, 4f5a4cd, and 663239a) contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.

