CVE-2026-32836

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32836
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32836.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32836
Published
2026-03-17T20:16:14Z
Modified
2026-04-02T13:26:13.465992Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

drlibs drflac.h version 0.13.3 and earlier contain an uncontrolled memory allocation vulnerability in drflac_readanddecodemetadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.

References

Affected packages

Git / github.com/mackron/dr_libs

Affected ranges

Type
GIT
Repo
https://github.com/mackron/dr_libs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
69d777c482775858e8ea8a7b047c9bcd451febc8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.13.3"
        }
    ]
}

Affected versions

flac-0.*
flac-0.12.43
flac-0.13.0
flac-0.13.1
flac-0.13.2
flac-0.13.3
mp3-0.*
mp3-0.6.40
mp3-0.7.0
mp3-0.7.1
mp3-0.7.2
wav-0.*
wav-0.13.17
wav-0.14.0
wav-0.14.1
wav-0.14.2
wav-0.14.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32836.json"