CVE-2026-29022
Published: 03 March 2026
Summary
CVE-2026-29022 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Mackron Dr Libs. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29022 is a heap buffer overflow vulnerability affecting dr_libs' dr_wav.h component in versions 0.14.4 and earlier. The issue resides in the drwav__read_smpl_to_metadata_obj() function, where a mismatch between sampleLoopCount validation during the first pass and unconditional processing in the second pass enables memory corruption. This flaw can be triggered by processing crafted WAV files through any drwav_init_*_with_metadata() call on untrusted input, resulting in a heap overflow of 36 bytes of attacker-controlled data. It is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H).
An attacker with local access can exploit this vulnerability by supplying a malicious WAV file, requiring user interaction such as opening the file in an application that uses the affected dr_libs functions. No privileges are needed, and the attack complexity is low. Successful exploitation leads to memory corruption, potentially allowing limited confidentiality impact alongside high integrity and availability disruptions, such as code execution or denial of service within the context of the processing application.
Mitigation is available via the fixing commit 8a7258c in the dr_libs repository, which addresses the validation mismatch. Security advisories from Marlink Cyber (MCSAID-2026-001) and VulnCheck detail the heap overflow and recommend updating to the patched version. Additional technical discussion is provided in dr_libs GitHub issue #296.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9315
Vulnerability details
dr_libs dr_wav.h version 0.14.4 and earlier (fixed in commit 8a7258c) contain a heap buffer overflow vulnerability in the drwav__read_smpl_to_metadata_obj() function of dr_wav.h that allows memory corruption via crafted WAV files. Attackers can exploit a mismatch between sampleLoopCount validation in pass…
more
1 and unconditional processing in pass 2 to overflow heap allocations with 36 bytes of attacker-controlled data through any drwav_init_*_with_metadata() call on untrusted input.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in WAV metadata parser enables RCE when victim opens crafted file; directly maps to user-assisted malicious file execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted WAV metadata (sampleLoopCount) before processing, preventing the pass-1/pass-2 mismatch that triggers the 36-byte heap overflow.
Mandates timely application of the dr_wav patch (commit 8a7258c) to eliminate the validation flaw in drwav__read_smpl_to_metadata_obj().
Requires memory-protection mechanisms that can detect or block out-of-bounds writes to heap allocations during crafted WAV processing.