The vulnerability arises from an uncontrolled memory allocation within the drflac__read_and_decode_metadata function when decoding PICTURE metadata blocks of FLAC streams. By supplying extremely large values for the mimeLength and descriptionLength fields, an attacker can force the library to attempt to allocate a massive amount of memory, leading to memory exhaustion and eventually causing an application to crash. This weakness is classified as CWE‑789 and provides only denial of service without exposing data or allowing code execution.

The flaw is present in dr_libs dr_flac.h version 0.13.3 and every revision preceding it. Any program that includes this library to handle FLAC audio and invokes the default metadata callbacks is affected. Systems that rely on locally stored audio or receive audio over a network are potentially vulnerable until the library is upgraded or the faulty metadata handling is disabled.

The CVSS score of 6.9 indicates a moderate level of severity, while the EPSS score of less than 1% suggests that exploitation is not widespread. The vulnerability is not currently listed in the CISA KEV catalog. An attacker must supply a specially crafted FLAC stream that contains the malformed PICTURE block; the likely attack vector is delivery of a malicious file to the application, which is therefore inferred rather than explicitly stated in the advisory. For applications exposed to untrusted audio input, the potential impact ranges from transient service interruption to complete application failure, but the overall risk is moderated by the low probability of exploitation.