Description
A security vulnerability has been detected in jarikomppa soloud up to 20200207. The impacted element is the function SoLoud::Wav::loadflac of the file src/audiosource/wav/soloud_wav.cpp of the component Audio File Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-01
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based Buffer Overflow
Action: Monitor
AI Analysis

Impact

The vulnerability resides in Soloud's WAV file handler. The loadflac function reads FLAC data into a fixed‑size heap buffer without proper bounds checking, creating a heap‑based buffer overflow that corresponds to CWE-119 and CWE-122. This flaw can corrupt memory, potentially leading to abrupt process termination or, under certain conditions, the execution of arbitrary code if the attacker can manipulate the input further.

Affected Systems

All installations of the jarikomppa Soloud library up to the 20200207 release are vulnerable. The flaw exists in the source file soloud_wav.cpp and has been confirmed in releases up to and including that date. Specific version ranges beyond 20200207 are not provided, but the issue is limited to code present in that and earlier releases.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation at present. The flaw requires local access to a process that processes FLAC audio data and is not listed in the CISA KEV catalog. No official patch has been published yet, but the issue is publicly disclosed on GitHub and other channels, meaning an attacker can craft input to trigger the overflow if the vulnerable function is invoked.

Generated by OpenCVE AI on April 17, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Soloud project for a patched release that addresses the loadflac flaw, and upgrade when available.
  • If upgrading is not possible, disable FLAC support or substitute an alternative audio source that does not use the vulnerable function.
  • Restrict the execution of audio loading routines that call loadflac to processes running with the least privileges necessary.

Generated by OpenCVE AI on April 17, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Solhsa
Solhsa soloud
CPEs cpe:2.3:a:solhsa:soloud:*:*:*:*:*:*:*:*
Vendors & Products Solhsa
Solhsa soloud

Mon, 02 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Jarikomppa
Jarikomppa soloud
Vendors & Products Jarikomppa
Jarikomppa soloud

Sun, 01 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in jarikomppa soloud up to 20200207. The impacted element is the function SoLoud::Wav::loadflac of the file src/audiosource/wav/soloud_wav.cpp of the component Audio File Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title jarikomppa soloud Audio File soloud_wav.cpp loadflac heap-based overflow
Weaknesses CWE-119
CWE-122
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jarikomppa Soloud
Solhsa Soloud
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-02T18:15:50.546Z

Reserved: 2026-02-28T17:07:38.378Z

Link: CVE-2026-3393

cve-icon Vulnrichment

Updated: 2026-03-02T18:14:12.829Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-01T13:16:14.610

Modified: 2026-03-13T14:23:55.590

Link: CVE-2026-3393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses