Description
A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Patch Now
AI Analysis

Impact

The vulnerability lies in the setup_free function of stb_vorbis.c in Nothings stb up to version 1.22. An attacker can manipulate data to trigger allocation of resources, leading to uncontrolled resource consumption. This can potentially cause a denial of service, as the application may exhaust memory or other resources required for normal operation.

Affected Systems

Systems using the Nothings stb library, specifically releases up to and including version 1.22, are affected. No other versions are mentioned as vulnerable. The vulnerability was identified in the upstream source code used by developers embedding stb in their applications.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability is considered moderate in severity. The exploit is reported as publicly available and remote, though the EPSS score is not disclosed. Since the vendor did not respond to the disclosure, no official patch is currently available. Administrators should expect the risk of denial of service if an attacker can supply crafted data to the vulnerable function.

Generated by OpenCVE AI on April 2, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the stb library version being used in your application.
  • If the version is 1.22 or earlier, upgrade to the latest release from the Nothings stb repository.
  • In the absence of an official patch, isolate the vulnerable component by limiting its resource usage or running it in a sandboxed environment.
  • Monitor application logs for abnormal memory or CPU consumption and alert on potential exploitation attempts.
  • If upgrading is not feasible, consider removing or replacing the stb library with a more actively maintained alternative.

Generated by OpenCVE AI on April 2, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nothings
Nothings stb
Vendors & Products Nothings
Nothings stb
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Nothings stb stb_vorbis.c setup_free allocation of resources
Weaknesses CWE-400
CWE-770
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nothings Stb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T18:24:28.334Z

Reserved: 2026-04-01T12:40:09.662Z

Link: CVE-2026-5316

cve-icon Vulnrichment

Updated: 2026-04-02T18:24:04.708Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T00:16:25.410

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-5316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:15:51Z

Weaknesses