Cyber Resilience

CVE-2026-29022

MediumPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29022 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Mackron Dr Libs. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29022 is a heap buffer overflow vulnerability affecting dr_libs' dr_wav.h component in versions 0.14.4 and earlier. The issue resides in the drwav__read_smpl_to_metadata_obj() function, where a mismatch between sampleLoopCount validation during the first pass and unconditional processing in the second pass enables memory corruption. This flaw can be triggered by processing crafted WAV files through any drwav_init_*_with_metadata() call on untrusted input, resulting in a heap overflow of 36 bytes of attacker-controlled data. It is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H).

An attacker with local access can exploit this vulnerability by supplying a malicious WAV file, requiring user interaction such as opening the file in an application that uses the affected dr_libs functions. No privileges are needed, and the attack complexity is low. Successful exploitation leads to memory corruption, potentially allowing limited confidentiality impact alongside high integrity and availability disruptions, such as code execution or denial of service within the context of the processing application.

Mitigation is available via the fixing commit 8a7258c in the dr_libs repository, which addresses the validation mismatch. Security advisories from Marlink Cyber (MCSAID-2026-001) and VulnCheck detail the heap overflow and recommend updating to the patched version. Additional technical discussion is provided in dr_libs GitHub issue #296.

EU & UK References

Vulnerability details

dr_libs dr_wav.h version 0.14.4 and earlier (fixed in commit 8a7258c) contain a heap buffer overflow vulnerability in the drwav__read_smpl_to_metadata_obj() function of dr_wav.h that allows memory corruption via crafted WAV files. Attackers can exploit a mismatch between sampleLoopCount validation in pass…

more

1 and unconditional processing in pass 2 to overflow heap allocations with 36 bytes of attacker-controlled data through any drwav_init_*_with_metadata() call on untrusted input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Heap buffer overflow in WAV metadata parser enables RCE when victim opens crafted file; directly maps to user-assisted malicious file execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-41147Same vendor: Mackron
CVE-2025-1651Shared CWE-122, CWE-787
CVE-2026-26200Shared CWE-122, CWE-787
CVE-2026-21304Shared CWE-122, CWE-787
CVE-2026-25583Shared CWE-122, CWE-787
CVE-2026-21504Shared CWE-122, CWE-787
CVE-2025-2153Shared CWE-122, CWE-787
CVE-2025-2152Shared CWE-122, CWE-787
CVE-2025-24444Shared CWE-787
CVE-2025-24441Shared CWE-787

Affected Assets

mackron
dr libs
≤ 0.14.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted WAV metadata (sampleLoopCount) before processing, preventing the pass-1/pass-2 mismatch that triggers the 36-byte heap overflow.

prevent

Mandates timely application of the dr_wav patch (commit 8a7258c) to eliminate the validation flaw in drwav__read_smpl_to_metadata_obj().

prevent

Requires memory-protection mechanisms that can detect or block out-of-bounds writes to heap allocations during crafted WAV processing.

References