Description
A vulnerability has been found in jarikomppa soloud up to 20200207. Impacted is the function drwav_read_pcm_frames_s16__msadpcm in the library src/audiosource/wav/dr_wav.h of the component WAV File Parser. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. Upgrading to version 20200207 is recommended to address this issue. It is recommended to upgrade the affected component. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-12
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read leading to potential memory corruption
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in jarikomppa's Soloud audio library, specifically within the drwav_read_pcm_frames_s16__msadpcm function in dr_wav.h. It permits an out-of-bounds read, causing a memory corruption condition when parsing WAV files. Because the flaw occurs during normal file parsing, an attacker could trigger it by delivering a crafted WAV file, resulting in data leakage or potential exploitation of the application memory. The weakness corresponds to improper bounds checking (CWE-119) and potential buffer under-read (CWE-125).

Affected Systems

Versions of Soloud preceding 20200207 are affected. The vulnerability is tied to the jarikomppa:soloud vendor and applies to any system utilizing the Soloud library that has not been upgraded beyond February 7, 2020. No specific subproduct or version list beyond the 20200207 suffix is provided; therefore, any earlier release is considered vulnerable.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity. EPSS is reported as less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reducing confirmed exploitation concern. Attack requires local execution; thus, an attacker must gain local access or influence application input. Exploitation can be performed by supplying a malicious WAV file to the affected library during read operations. Overall, the risk is contingent upon the need for local code execution or an attacker’s ability to place files into the application’s input stream.

Generated by OpenCVE AI on March 18, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Soloud to version 20200207 or later as recommended by the vendor

Generated by OpenCVE AI on March 18, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Jarikomppa
Jarikomppa soloud
Vendors & Products Jarikomppa
Jarikomppa soloud

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in jarikomppa soloud up to 20200207. Impacted is the function drwav_read_pcm_frames_s16__msadpcm in the library src/audiosource/wav/dr_wav.h of the component WAV File Parser. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. Upgrading to version 20200207 is recommended to address this issue. It is recommended to upgrade the affected component. The project was informed of the problem early through an issue report but has not responded yet.
Title jarikomppa soloud WAV File dr_wav.h drwav_read_pcm_frames_s16__msadpcm out-of-bounds
Weaknesses CWE-119
CWE-125
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jarikomppa Soloud
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T14:05:35.620Z

Reserved: 2026-03-11T19:01:26.939Z

Link: CVE-2026-4009

cve-icon Vulnrichment

Updated: 2026-03-12T14:05:32.096Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T08:16:11.150

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-4009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:50:02Z

Weaknesses