Description
A vulnerability has been found in Nothings stb up to 2.30. This issue affects the function stbi__gif_load_next in the library stb_image.h of the component GIF Decoder. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

The vulnerability resides in the stbi__gif_load_next function of the stb_image.h library used by Nothings' stb. It allows an attacker to supply a specially crafted GIF file that causes uncontrolled memory allocation and ultimately crashes the image decoder, resulting in a denial‑of‑service state. The weakness is identified as CWE‑1286 and CWE‑404. Because the function processes input from external GIF files, the impact arises when a malicious GIF is loaded through the library.

Affected Systems

Any deployment that incorporates Nothings stb version 2.30 or earlier is affected. This includes software that embeds stb_image.h for image loading such as certain game engines, rendering frameworks, and web applications. The vendor product is Nothings:stb; no specific sub‑product is listed. The vulnerability applies to all platforms that compile the library with the default GIF decoder.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not provided and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not currently exploited in the wild. However, the attack can be launched remotely via a crafted GIF file and the public exploit is disclosed, so systems that load untrusted GIFs remain at risk. Updating to a fixed version or disabling GIF support mitigates the risk.

Generated by OpenCVE AI on April 2, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade stb_image library to a version later than 2.30 where the fix has been applied.
  • If an immediate update is not feasible, disable GIF decoding in your application or switch to a safer image decoder.
  • Scan all source locations for hard‑coded or downloaded GIF files that could trigger the failure.
  • Apply any vendor patches or security advisories as they become available.

Generated by OpenCVE AI on April 2, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nothings
Nothings stb
Vendors & Products Nothings
Nothings stb

Thu, 02 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Nothings stb up to 2.30. This issue affects the function stbi__gif_load_next in the library stb_image.h of the component GIF Decoder. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Nothings stb GIF Decoder stb_image.h stbi__gif_load_next denial of service
Weaknesses CWE-404
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nothings Stb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T16:42:46.207Z

Reserved: 2026-04-01T12:39:59.987Z

Link: CVE-2026-5313

cve-icon Vulnrichment

Updated: 2026-04-03T16:42:41.439Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T22:16:21.553

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-5313

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T21:30:13Z

Links: CVE-2026-5313 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:24Z

Weaknesses