CVE Catalog

CVE-2026-32836

MediumCVSS 6.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

The dr_libs dr_flac.h library version 0.13.3 and earlier has an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata(). Attackers can supply crafted PICTURE metadata blocks with controlled mimeLength and descriptionLength fields, leading to excessive memory allocation.

Risk Assessment

The risk is memory exhaustion (denial of service) when processing FLAC streams with metadata callbacks, potentially disrupting applications using this library.

Recommendation

Immediately update dr_flac.h to a version containing the fixes (commits fefced4, 4f5a4cd, 663239a) or apply a patch limiting the maximum memory allocation size for mimeLength and descriptionLength fields.

Original NVD description (English source)

dr_libs dr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, 4f5a4cd, and 663239a) contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS