Description
A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

In the stbi__gif_load_next routine of the Multi‑frame GIF File Handler within stb_image, a heap‑based buffer overflow can be triggered by feeding a maliciously crafted GIF. The overflow corrupts heap memory and allows an attacker with local access to possibly execute arbitrary code or crash the application. This weakness corresponds to CWE‑119 and CWE‑122.

Affected Systems

The vulnerability affects Nothings stb_image versions 2.30 and earlier. Any application that includes this library and processes GIF images is potentially vulnerable. The flaw is independent of host OS or architecture.

Risk and Exploitability

The CVSS score of 4.8 indicates a low‑to‑medium impact, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting limited observed exploitation. However, the publicly released exploit and the local-privilege requirement mean that any local user or compromised process that parses a crafted GIF can exploit the overflow, potentially leading to arbitrary code execution.

Generated by OpenCVE AI on March 31, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade stb_image to a version later than 2.30
  • If an update is not possible, avoid processing multi‑frame GIFs from untrusted sources or disable that feature
  • Apply system‑level memory protections such as stack canaries, ASLR, and data‑execution prevention

Generated by OpenCVE AI on March 31, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Nothings
Nothings stb Image
Vendors & Products Nothings
Nothings stb Image

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Nothings stb_image Multi-frame GIF File stb_image.h stbi__gif_load_next heap-based overflow
Weaknesses CWE-119
CWE-122
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nothings Stb Image
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-31T18:04:42.847Z

Reserved: 2026-03-30T19:18:38.247Z

Link: CVE-2026-5185

cve-icon Vulnrichment

Updated: 2026-03-31T15:04:32.057Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T07:16:12.663

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-5185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:24Z

Weaknesses