Description
A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Double‑Free Leading to Memory Corruption
Action: Apply Patch
AI Analysis

Impact

A double‑free condition exists in the stb_image.h Multi‑frame GIF File Handler of the Nothings stb library. When stbi__load_gif_main processes a crafted GIF file, the same memory block is released twice, corrupting the heap. The CVE details do not indicate that arbitrary code execution is achieved, but the memory corruption could lead to application crashes or instability. The vulnerability is publicly exploitable, as exploit code is available, and requires that the attacker has local access to the target system.

Affected Systems

Any software that incorporates the Nothings stb library version 2.30 or earlier and uses its stb_image.h header to decode GIF images is affected. The bug resides in the header‑only implementation, so the issue is present wherever the library is built into an application. No other vendors or product families are listed in the CVE data.

Risk and Exploitability

The CVSS v3 base score is 4.8, indicating a moderate severity assessment. No EPSS score is supplied, and the vulnerability is not listed in the CISA KEV catalog. Exploitation necessitates local access and the attacker must supply a malicious GIF file to a running process that uses stbi__load_gif_main. Because public exploit code exists, a local attacker could trigger the double‑free, potentially causing a crash or corrupting memory, but there is no evidence of remote exploitation or privilege escalation.

Generated by OpenCVE AI on March 31, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the stb library to a patched release that eliminates the double‑free condition.
  • If an update is unavailable, remove or disable GIF decoding functionality in the affected application to eliminate the vulnerable code path.
  • Run applications using the stb library with the least privilege necessary to limit the damage from a potential crash or memory corruption.
  • Monitor for abnormal crashes or memory corruption events that may indicate an attempted exploitation.

Generated by OpenCVE AI on March 31, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Nothings
Nothings stb
Vendors & Products Nothings
Nothings stb

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free
Weaknesses CWE-119
CWE-415
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nothings Stb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-31T15:36:58.990Z

Reserved: 2026-03-30T19:18:42.080Z

Link: CVE-2026-5186

cve-icon Vulnrichment

Updated: 2026-03-31T15:36:55.641Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T08:15:54.970

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-5186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:24Z

Weaknesses