CVE-2026-29022

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-29022
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29022.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-29022
Downstream
Published
2026-03-03T20:16:49.433Z
Modified
2026-04-12T20:28:23.062876Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

drlibs drwav.h version 0.14.4 and earlier (fixed in commit 8a7258c) contain a heap buffer overflow vulnerability in the drwav_readsmpltometadataobj() function of drwav.h that allows memory corruption via crafted WAV files. Attackers can exploit a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2 to overflow heap allocations with 36 bytes of attacker-controlled data through any drwavinit*withmetadata() call on untrusted input.

References

Affected packages

Git / github.com/mackron/dr_libs

Affected ranges

Type
GIT
Repo
https://github.com/mackron/dr_libs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
86cc48cbfd981fa00ea94905ac9d6df4b18d4e59
Fixed
8a7258cc66b49387ad58cc5b81568982a3560d49
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.14.4"
        }
    ]
}

Affected versions

flac-0.*
flac-0.12.43
flac-0.13.0
flac-0.13.1
flac-0.13.2
flac-0.13.3
mp3-0.*
mp3-0.6.40
mp3-0.7.0
mp3-0.7.1
mp3-0.7.2
mp3-0.7.3
wav-0.*
wav-0.13.17
wav-0.14.0
wav-0.14.1
wav-0.14.2
wav-0.14.3
wav-0.14.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29022.json"
vanir_signatures_modified 
"2026-04-12T20:28:23Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 2391.0,
            "function_hash": "274369362393551192513363769171209288243"
        },
        "source": "https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49",
        "id": "CVE-2026-29022-fce3f2cc",
        "signature_type": "Function",
        "target": {
            "function": "drwav__read_smpl_to_metadata_obj",
            "file": "dr_wav.h"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "156795787947303449052969177408990759377",
                "59291680430260035811927451671464663129",
                "228646447708251646692394864719693196134",
                "158979362182074801015321575016085867557",
                "173586220997624508417669118978994880442",
                "91942019853083460248550813309024703446",
                "142159905643640360312427245440674607226",
                "112790070828669043927775556278995618390",
                "174212771834172706152907015960890894677",
                "260501320710546516656083547975678066426",
                "323060563103988631367845787923048641418",
                "322343670201188098949562074664305590200",
                "10465561640976524446552361072942782589",
                "227512529262938785102389554125723867218",
                "69386179624840899124734532474254819571",
                "119763434519947992881935478934869808017"
            ]
        },
        "source": "https://github.com/mackron/dr_libs/commit/8a7258cc66b49387ad58cc5b81568982a3560d49",
        "id": "CVE-2026-29022-fed86f9c",
        "signature_type": "Line",
        "target": {
            "file": "dr_wav.h"
        }
    }
]